How authentication username modifiers affect the usernames sent to an authenticating server and authorize users?

This article is designed to discuss how Username Modifier field within the authentication profile can help modify the username format sent to the authenticating server and authorize them based on the users or user groups added to the Allow list within the authentication profile

• PAN-OS firewall
• Authentication profile (LDAP, RADIUS, TACACS+, Kerberos)

• Several times, we see authentication failures due to incorrect username format being sent to the authenticating server
• Within authentication profiles (Device > Authentication Profile), we can modify user input (if needed) before sending authentication request to the server (LDAP, RADIUS, TACACS+, Kerberos)
• Username modifiers are not supported for SAML authentication only

In order to modify the user input on the firewall, there are 3 options to select from the drop down menu within the Username Modifier field: 

1. %USERINPUT%
2. %USERDOMAIN%\%USERINPUT%
3. %USERINPUT%@%USERDOMAIN%

Apart from these options, you can manually type in another option None  which is not available in the drop down menu within the Username Modifier field. This is useful in scenarios where we need to have User Domain field populated for authentication sequence matching but want to strip the domain before sending the request to authenticating server.

Authorization can be setup in an authentication profile in the Allow List under the Advanced Tab. The idea is that only specified users or users in specified groups may use this authentication profile. Authorization can also defined in any object where there is an Allow List. Sometimes, the format required by the authenticating server can be different than that which is required for authorization.




The following table explains the successful options (based on the tests performed using LDAP authentication):
 

Note: User Domain field populated under authentication profile will influence User-IP mappings