How to use strict-username-check to match identical username

How to use strict-username-check to match identical username

26671
Created On 04/27/22 12:42 PM - Last Modified 02/15/23 23:27 PM


Objective


Sometimes when using a remote authentication server such as a SAML Identity Provider (IdP) we must ensure the username that the authentication server sends to the firewall or Panorama is identical to the username in the local administrator account settings on the Firewall or Panorama.
 

Environment


  • PaloAlto Firewall
  • Panorama
  • Remote authentication server administrator login is configured

Procedure


  1. From PAN-OS 9.1 strict-username-check command is enabled by default
> set auth strict-username-check yes
When strick-check is enabled then Firewall or Panorama tries to find an identical username. For example, if the username that the authentication server sends to the firewall or Panorama is "remoteadmin@mydomain.local" then firewall/panorama tries to find the exact username with the domain name "@mydomain.local"
  1. In some cases, the local admin database or remote server might have only a username without the domain name in such cases lookup will fail with the below error
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user remoteadmin@mydomain.local
NOTE: To match search only username and ignore domain name then run the below command to disable "strick-check"
> set auth strict-username-check no

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNj9CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language