User to group maping for xml-api user who provided no domain string

L1 Bithead

User to group maping for xml-api user who provided no domain string


i need to map user to ldap group. For desktops there is no problem, mappings goes well. But if some user connects via smartphone and didn't provide DOMAIN\  then problem occur. Is there any way to achieve this goal ?

Typing DOMAIN\ on mobile keyboard is difficoult.

Users are authenticated through 802.1x on extrenal NAC and user-id is passed via XML-API

best regards,



L7 Applicator



Did you make sure to add the domain name to the user domain attribute in the LDAPprofile/GroupMappingProfile



Tom Piens -
Like my answer? check out my book!
L1 Bithead


as far as i know this setting is to replace LDAP response. If client log to the network with username only [john.smith instead of  DOMAIN\john.smith] then palo alto cannot compare it to LDAP response domain\username. Doesn't metter if i compare it to oryginal ldap response or replaced domain prefix ldap response it still doesn't solve problem.


L3 Networker

I see two options:

a) add domain to user name when sending entry via API,

b) gather User-ID through Syslog Sender, you can define the Default Domain Name of those mappings.

It will be possible if there is only one domain for users.


Hope it helps :-)



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!