Standalone Prisma Access and LDAP Group Mapping

Reply
Highlighted
L1 Bithead

Standalone Prisma Access and LDAP Group Mapping

I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping on standalone Prisma Access deployments with no master device?


Accepted Solutions
Highlighted
L3 Networker

Hi Raymond,

 

To configure standalone group mapping, you need to have the following configured under the mobile users' template:

* LDAP server profile

* User-ID > Group-Mapping

 

Please note that in a standalone scenario, you won't be able to pull the group-names on Panorama GUI. Therefore, you will have to type as per the instructions from your comment the DN long format entry in your policy and configuration.

For testing purposes, you can create a security policy, set the policy on the top and deny traffic to a specific IP to a specific group, this is just one example of many ways you can test.

 

Please let us know if you have any further questions.

 

View solution in original post


All Replies
Highlighted
L1 Bithead

Unclear instructions from the KB article:

 

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

Highlighted
L3 Networker

Hi Raymond,

 

To configure standalone group mapping, you need to have the following configured under the mobile users' template:

* LDAP server profile

* User-ID > Group-Mapping

 

Please note that in a standalone scenario, you won't be able to pull the group-names on Panorama GUI. Therefore, you will have to type as per the instructions from your comment the DN long format entry in your policy and configuration.

For testing purposes, you can create a security policy, set the policy on the top and deny traffic to a specific IP to a specific group, this is just one example of many ways you can test.

 

Please let us know if you have any further questions.

 

View solution in original post

Highlighted
L1 Bithead

Thanks for the help. Since the groups won't appear in the dropdown menu on the user page, I can simply write the LDAP path in the User tab of a policy? Something like "CN=Mail Room,OU=Groups,OU=Houston,OU=Company,DC=corporate,DC=papergoods,DC=com" ?
Highlighted
L3 Networker

Hi @RaymondMullin, that is correct.

L1 Bithead

Thanks for the clarification. I added the object DN to the user tab on the policy page, but it doesn't seem to be working. I can add "domain\sampleUser" to the same policy and it works fine for that user. User mapping is working okay. I just seem to have a hard time getting the user group mapping to work. I've tried adding the object DN to both the Group Include List and Custom Group List in Device>User Identification>Group Mapping Settings, but I've come up empty every time. I wish there was better documentation on this implementation.
Highlighted
L3 Networker

Hi @RaymondMullin 

 

The user mapping should always work because the userid is learned from the authentication.

Whereas in the case of the group mapping, we need to pull the information from your LDAP server and group-mapping configuration.

Hence, the group-mapping attribute fields need to be aligned to the user authentication profile attributes.

 

Here is an example:

If you are using sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration.

Screen Shot 2020-03-23 at 7.16.47 PM.png

Screen Shot 2020-03-23 at 7.17.33 PM.png

  • Best practice configuration:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html

Highlighted
L1 Bithead

Thanks for all the help. It's working now with the long form.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!