I have a question regarding the authentification of users through the VPN SSL.
Here is the situation:
Login of the SSL VPN user: AdminLogin
Password of the SSL VPN user: AdminPass
SSL VPN name: AdminSSLVPN
Authentication Profile associated with AdminSSLVPN: AdminAuthProfil
AdminAuthProfil authentication method: Radius server
AdminAuthProfil allow list: DOMAIN\admin (it's a AD group obtained by the user ID agent). AdminLogin is a member of the DOMAIN\admin group.
When the login is submitted to the PAN, i would like to know how the verification of the belonging of AdminLogin to DOMAIN\admin group is done. When a user is usually presented to the AD, the form of the login is the following "DOMAIN\login". As the form of the login is not the same in the AD and when a user log on to the SSL VPN how does it works ?
When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin. Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).
Thank you in advance.
if your RADIUS profile has the domain field correctly configured with the domain name then the PA firewall will prepend the DOMAIN\ portion of the login when doing the RADIUS authentication process.
My question was not concerning the stage of the authentification with the RADIUS but the stage after (authorisation).
Let's take the precedent exemple to explain our interrogation.
From our understanding of the PAN when a user wants to connect to the SSL VPN there are several steps:
Regarding that. The authentication profil (AdminAuthProfil) for the SSL VPN is configured like this this:
The question is (still regarding our exemple) :
When user connects to the SSL VPN the login that was submitted was AdminLogin and not DOMAIN\AdminLogin.
So when it's the turn of the authorisation stage. When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin regarding the "allow list". Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).
Thank you in advance.
The login will not fail. The system will use the domain string stored with the auth profile to infer the users domain (assuming they have not entered a fully qualified username). This will then map to the groups retrieved from the User Identification Agent and be matched in either the allow list in an auth profile or in security rules based on group.
Message was edited by: mike EDIT: fixed a missing "not" in the comment about fully qualified username.
So if i reformulate your answer.
If in my allow list, I have the following group: NOVIDYS\tech. And in the AD, Bob belongs to NOVIDYS.
When Bob want to connect to the SSL VPN he only submit Bob. Then the PAN append NOVIDYS to Bob ("NOVIDYS\Bob") and check if he belongs to NOVIDYS\tech (wich is in the allow list) regarding the information the Pan-agent gave to the PAN.
But how to verify to which of the groups (from the firewall point of view) belongs the user being logged in?
Is there a CLI command like "show to which group belongs the user" ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!