Support for Multiple Username Formats

Select
Device
Server Profiles
LDAP
and
Add
an LDAP server profile.
Select
Device
User Identification
Group Mapping Settings
and
Add
Group Mapping using the LDAP server profile you added in the previous step.
Specify the
Primary Username
that will identify users in reports and logs and optionally specify the
Directory Attribute
for users or groups, then
Commit
your changes.
When you select the Server Profile
Type
, the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes. For more information, refer to Map Users to Groups.
For users:
Select
Device
User Identification
Group Mapping Settings
Add
User and Group Attributes
and specify a
Primary Username
(for example,
userPrincipalName
or
sAMAccountName
).
If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in the
domain\username
format as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed as
username@domain
, not
domain\username
.
(Optional)
Specify additional alternate
User Attributes
to identify users, such as an
E-Mail
or up to three
Alternate Usernames
.
For groups:
Select
Device
User Identification
Group Mapping
Add
User and Group Attributes
.
Specify
Group Attributes
such as the
Group Name
,
Group Member
, or
E-Mail
.

Use the groups and usernames that the group mapping profile collects to Enable User- and Group-Based Policy.
(Optional)
If your User-ID sources only send the username and the username is unique across the organization, select
Device
User Identification
Palo Alto Networks User-ID Agent Setup
Cache
and
Edit
to
Allow matching usernames without domain
to allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile. This option is disabled by default.
Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.

Map users based on information from User-ID sources by configuring User-ID to gather IP-user mappings from sources using the PAN-OS integrated User-ID agent or the Windows User-ID Agent.
Verify the user mapping is successful:
To verify the Group Mapping configuration, select the
Group Include List
to confirm the firewall has fetched all of the groups.
To verify all the user attributes have been captured correctly, use the
show user user-attributes user all
command.
Verify the usernames are displayed correctly in the
Source User
column of the Monitor tab.
Select
Monitor > Logs > User-ID
and check the
User Provided by Source
column to verify the users are mapped to the correct username.