In my company we use two PA500 ina active/passove configuration. We've got AD with multiple child domains. In GlobalProtect Gateway and Portal we use radius for authentication. When we type username in GlobalProtect Agent in format domain\username the Paloalto firewall doesn't see that user as domain user. The domain prefix is stripped so the user is not allow to browse the internet, only authenticated users are allowed to access the internet. When we use format username@domain (netbios domain name) everything is fine. The user is seen as domain user and can browse the internet. Same thing happens when we try to use SSO. The user logs on to computer as domain\username. The domain prefix is stripped and user is not recognized as domain user. We can't force users to change the way they log on to their computers and it would be much easier if it would work with SSO. Did anyone had this kind of problems? P.S. In radius server settings there is no domain typed in because of child domains. In GP portal client settings, for user group we didn't enter any groups, the default is any.
... View more