GP users are not restricted to an AD group in allow list of authentication profile.

GP users are not restricted to an AD group in allow list of authentication profile.

6856
Created On 04/01/19 20:08 PM - Last Modified 04/27/20 16:44 PM


Symptom


In the authentication profile a group is added in the allow list, but it will not match the users authenticating via firewall UI, GP, or Captive Portal. 

 

Environment


  • PAN-OS version 7.1 or above. 
  • Group mapping with Active Directory LDAP is configured. 
  • Authentication profile has an Active Directory group added in the allow list. 

Cause


  • User domain (NetBIOS Domain) is setup incorrectly in the authentication profile. 

Resolution


Change the User Domain in the authentication profile from (domain.com) to (domain)

Example if you Active Directory Forest is users.domain.com, then you User Domain in the Authentication Profile in will be users

Authentication Profile

Additional Information


Additional Information about domain-map and Active Directory configuration can be found Here.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLMQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail