GP users are not restricted to an AD group in allow list of authentication profile.
Created On 04/01/19 20:08 PM - Last Modified 04/27/20 16:44 PM
In the authentication profile a group is added in the allow list, but it will not match the users authenticating via firewall UI, GP, or Captive Portal.
- PAN-OS version 7.1 or above.
- Group mapping with Active Directory LDAP is configured.
- Authentication profile has an Active Directory group added in the allow list.
- User domain (NetBIOS Domain) is setup incorrectly in the authentication profile.
Change the User Domain in the authentication profile from (domain.com) to (domain)
Example if you Active Directory Forest is users.domain.com, then you User Domain in the Authentication Profile in will be users
Additional Information about domain-map and Active Directory configuration can be found Here.