User does not Match Correct Policy but is Listed in Group Mapping from AD

User does not Match Correct Policy but is Listed in Group Mapping from AD

43955
Created On 09/26/18 13:47 PM - Last Modified 04/20/20 22:37 PM


Resolution

Issue

User, betest1$, is a part of group "cn=domain controllers,cn=users,dc=pantac2003,dc=com". A security policy applying the group name is configured correctly on the Palo Alto Networks firewall. However, when the betest1$ user accesses anything through the firewall, the intended rule (with the group name applied) is not matched. It appears that the betest1$ user is not a member of the group listed in the policy.

 

Details

The screenshot below shows the security policy with the example group applied:

1.png

 

The user, betest1$, has been verified as a member of the group:

> show user group name "cn=domain controllers,cn=users,dc=pantac2003,dc=com"

source type: service

source:      pantac2003

[1    ] pantac2003.com\betest1$

[2    ] pantac2003.com\w2k3ad$

 

From the traffic logs, the user is identified as "pantac2003\betest1$".

2.png

From the information gathered above, the issue is caused due to a mismatch between the username from the group mapping (pantac2003.com\betest1$) and the username identified by the traffic logs (pantac2003\betest1$).

 

Resolution

The user is getting identified as pantac2003\betest1$in the traffic logs, because the User-ID agent applies the netbios domain name. In the group mapping, the username pantac2003.com\betest1$ has an additional ".com", which causes a match to fail.

 

Check the LDAP server profile settings for an entry in the Domain field:

3.png

 

Delete the domain name entirely and leave it blank, or trim the .com and leave "pantac2003".

4.png

 

After committing the changes, the user should be identified correctly as a part of the intended group that is specified in the policy.

 

See Also

What Should be Configured as Domain in an LDAP Profile?

 

owner: pvemuri



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClokCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language