This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to verify group-mapping in PRISMA access

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to verify group-mapping in PRISMA access

Go to solution
Chacko42
L4 Transporter

‎03-23-2020 01:52 PM

Hi all,

 

I'm wondering, how to verify, that the group-mapping in Prisma-Access is working correctly.

We configured the Prisma as described in the admin guides, but my group-based security policies are not working as expected.

Authentication via LDAP is working via LDAPS, so I guess the LDAP-connection vor retrieving groups is working.

 

I would like to do a thing like "show user group list" or sth. else, I can do with on-prem firewall.

Also it would be nice to immediately trigger the group-refresh via "debug user-id refresh group-mapping all".

You get my idea, right?

 

Any ideas?

 

Regards

Chacko

Best Regards
Chacko
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Sai_Tumuluri
L4 Transporter

‎03-24-2020 06:20 AM

@Chacko42 

 

As you said if authentication and traffic policies are working properly it indicates, the group mapping is being retrieved.


The ability to directly run those commands is feature request. Please reach out to SE of the account to help to file the feature request


~ Sai Srivastava Tumuluri ~

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
SuperMario
L3 Networker

‎03-23-2020 07:32 PM - edited ‎03-24-2020 09:00 AM

Hi Chacko,

 

Unfortunately, you will have to open a TAC case to troubleshoot this. As you mentioned, you need to run some CLI commands to verify and troubleshoot the configuration.

 

However, here is my suggestion, from my experience, most of the time the issue is due to a format mismatch on the authentication policy vs the group mapping format.

Here is an example:

If you are using sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration.

Screen Shot 2020-03-23 at 7.16.47 PM.png

Screen Shot 2020-03-23 at 7.17.33 PM.png

 

Also, in a standalone Prisma Access deployment without a Master Device, you can use a group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama.
For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

Detailed instructions:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-b...

 

  • Instructions for the configuration specific to Prisma Access:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-b...

  • Best practice configuration:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html

  • Multiple Username formats configuration:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multip...

 

I hope this helps.

 

0 Likes Likes

Go to solution
Sai_Tumuluri
L4 Transporter

‎03-24-2020 06:20 AM

@Chacko42 

 

As you said if authentication and traffic policies are working properly it indicates, the group mapping is being retrieved.


The ability to directly run those commands is feature request. Please reach out to SE of the account to help to file the feature request


~ Sai Srivastava Tumuluri ~
0 Likes Likes

Go to solution
Chacko42
L4 Transporter
In response to Sai_Tumuluri

‎03-31-2020 11:34 AM

Hi @Sai_Tumuluri: Thanks, we asked TAC to run show user group name <x> and found out, that the primary user attribute was set to "uid" - I guess that was default behavior in the early days.

A freshly installed Prisma today, got the default sAMAccountName and the audit-logs from the faulty environment found no manual configuration made on this value - however, Feature reqest is sent to local PAN SE and with correct attributes, everything is matching as expected

Best Regards
Chacko
0 Likes Likes

Go to solution
Sai_Tumuluri
L4 Transporter
In response to Chacko42

‎03-31-2020 11:49 AM

Thank you for sharing update. Yes, TAC can help with them.

 

From my knowledge "sAMAccountName" was the default. 

 

if the domain name is not populating, netbios communication might be failing. Verify with TAC help the domain is populating for users, it is imp

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/user-identification/device-us...


~ Sai Srivastava Tumuluri ~
0 Likes Likes
  • 1 accepted solution
  • 12828 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks