- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-23-2022 07:38 AM
Hi,
we currently have global protect integrated with Azure MFA using SAML and it works flawless.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-...
Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.
At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.
Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)
we have a PA-850 running version 10.1.3
thanks
11-23-2022 07:52 AM
According to the official documentation the source user in the client setting tab must be configured via User Identification.
In our case we only have the internal Active Directory and checking its settings I saw an option that called my attention, Alternate Username 1.
I wonder if I put "mail" in that field, it might be used in the filtering as a username. (see attachment)
Does anyone used that before for a similar purpose?
thanks
03-27-2023 01:30 PM
Hi @JoseCortijo - did you ever figure this out? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.
05-16-2023 01:50 PM
We don't need user-id enabled for this.
E.g
username@domain.com, then use domain.com\username as the source user.
Hope this helps.
05-19-2023 09:46 AM - edited 05-19-2023 09:47 AM
Hi @pkumar2 ,
I afraid that that simple solution does not work. That was my first attempt indeed.
Following your advice I checked the Globalprotect authentication logs and I saw username@domain.com as source user.
I added domain\useraccount and even the email address but there is still no match with the rule.
I am getting the client settings with the "any" as a filter.
A technician from a local partner told me that I might have an issue with the group mapping settings. The email should be mapped with the LDAP information stored in PA. I checked that as well but I did not see anything wrong.
05-19-2023 10:24 AM
@JoseCortijo - I got my issue resolved with the help of PAN support, figured I'd share it here in case it helps you. For my two LDAP server profiles, instead of using LDAP/636 to each of my AD domains (root and child), I switched to GlobalCatalog/3269 to the root domain as well as LDAP/636 to the root domain. I then changed User ID group mapping to use the GlobalCatalog server profile, so that it could read all domains, and blanked the User Domain field in the group mapping config. Next, I added the relevant AD groups to the Group Mapping Group Include list and also to the SAML Authentication Profile Allow List under Advanced. Now in my Agent Client Settings, I add the relevant groups to the Source User list.
Here is the doc that helped me, as it recommends using Global Catalog if you have Universal AD Groups, and also mentions that the User Domain field can usually be left blank in the Group Mapping config: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-users-to-groups
HTH!
06-20-2023 04:57 AM
Hi @tamerfahmy
thanks a lot for your reply and the link. Not sure if my issue was the same as yours. The AD groups got already populated and I could select the target AD group in the Agent Client Settings, my issue was that it didn't seem to match the condition so the different settings based on AD membership never applied.
I followed your instructions and I created an additional LDAP server profile for the global catalog and then, a new group mapping configuration using that new ldap server profile. Not sure if I should keep both group mappings enabled or not.
the result keeps the same, I can select the ad group in the Agent Client settings but it is never taken into account.
I attach some screenshots, maybe you could see where could be my issue.
thanks once again for your reply.
10-23-2023 11:49 AM
Hi @JoseCortijo,
Yes, I have both group mappings enabled.
Did you add the relevant AD groups to the Group Include list in the global catalog Group Mapping?
Also, in the SAML Authentication Profile > Advanced > Allow List, you can try adding the groups explicitly instead of using "all".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!