Hi Chacko, Unfortunately, you will have to open a TAC case to troubleshoot this. As you mentioned, you need to run some CLI commands to verify and troubleshoot the configuration. However, here is my suggestion, from my experience, most of the time the issue is due to a format mismatch on the authentication policy vs the group mapping format. Here is an example: If you are using sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration. Also, in a standalone Prisma Access deployment without a Master Device, you can use a group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice. Detailed instructions: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7_id8663ef7a-f62f-44ab-9ae8-113239a11b89 Instructions for the configuration specific to Prisma Access: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access Best practice configuration: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html Multiple Username formats configuration: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.html I hope this helps.
... View more