How authentication username modifiers affect the usernames sent to an authenticating server and authorize users?
Symptom
This article is designed to discuss how Username Modifier field within the authentication profile can help modify the username format sent to the authenticating server and authorize them based on the users or user groups added to the Allow list within the authentication profile
Environment
- PAN-OS firewall
- Authentication profile (LDAP, RADIUS, TACACS+, Kerberos)
Cause
- Several times, we see authentication failures due to incorrect username format being sent to the authenticating server
- Within authentication profiles (Device > Authentication Profile), we can modify user input (if needed) before sending authentication request to the server (LDAP, RADIUS, TACACS+, Kerberos)
- Username modifiers are not supported for SAML authentication only
Resolution
In order to modify the user input on the firewall, there are 3 options to select from the drop down menu within the Username Modifier field:
Apart from these options, you can manually type in another option None which is not available in the drop down menu within the Username Modifier field. This is useful in scenarios where we need to have User Domain field populated for authentication sequence matching but want to strip the domain before sending the request to authenticating server.
Authorization can be setup in an authentication profile in the Allow List under the Advanced Tab. The idea is that only specified users or users in specified groups may use this authentication profile. Authorization can also defined in any object where there is an Allow List. Sometimes, the format required by the authenticating server can be different than that which is required for authorization.
The following table explains the successful options (based on the tests performed using LDAP authentication):
Username Modifiers |
User Input |
Authentication Profile |
Username Format sent to Authenticating Server |
Allow List |
User-IP Mapping | |
Login Attribute |
Domain | |||||
user1 |
sAMAccountName |
planotac.local |
user1 |
Match to either user1 or planotac.local\user1 |
planotac.local\user1 | |
user1@planotac.local |
userPrincipalName |
planotac.local |
user1@planotac.local |
Match to either planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1 |
sAMAccountName |
<blank> |
user1 |
Match to user1 |
user1 | |
user1@planotac.local |
userPrincipalName |
<blank> |
user1@planotac.local |
Match to planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1 |
sAMAccountName |
<blank> |
user1 |
Match user1 |
user1 | |
planotac.local\user1 |
sAMAccountName |
<blank> |
user1 |
Match to either user1 or planotac.local\user1 |
planotac.local\user1 | |
user1@planotac.local |
userPrincipalName |
planotac.local |
user1@planotac.local |
Match to either planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1 |
sAMAccountName |
<blank> |
user1 |
Match to user1 |
user1 | |
planotac.local\user1 |
sAMAccountName |
<blank> |
user1 |
Match to either user1 or planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1 |
sAMAccountName |
planotac.local |
user1 |
Match to either user1 or planotac.local\user1 |
planotac.local\user1 | |
planotac.local\user1 |
sAMAccountName |
planotac.local |
user1 |
Match to either user1 or planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1@planotac.local |
userPrincipalName |
planotac.local |
user1@planotac.local |
Match to either planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1 |
sAMAccountName |
<blank> |
user1 |
Match to user1 |
user1 | |
planotac.local\user1 |
sAMAccountName |
<blank> |
user1 |
Match to either user1 or planotac.local\user1 or user1@planotac.local |
planotac.local\user1 | |
user1@planotac.local |
userPrincipalName |
<blank> |
user1@planotac.local |
Match to planotac.local\user1 or user1@planotac.local |
planotac.local\user1 |
Additional Information
Note: User Domain field populated under authentication profile will influence User-IP mappings