GP users are not restricted to an AD group in allow list of authentication profile.

GP users are not restricted to an AD group in allow list of authentication profile.

3392
Created On 04/01/19 20:08 PM - Last Modified 04/27/20 16:44 PM


Symptom
In the authentication profile a group is added in the allow list, but it will not match the users authenticating via firewall UI, GP, or Captive Portal. 

 


Environment
  • PAN-OS version 7.1 or above. 
  • Group mapping with Active Directory LDAP is configured. 
  • Authentication profile has an Active Directory group added in the allow list. 


Cause
  • User domain (NetBIOS Domain) is setup incorrectly in the authentication profile. 


Resolution
Change the User Domain in the authentication profile from (domain.com) to (domain)

Example if you Active Directory Forest is users.domain.com, then you User Domain in the Authentication Profile in will be users

Authentication Profile


Additional Information
Additional Information about domain-map and Active Directory configuration can be found Here.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLMQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments