End-of-Life (EoL)
Support for Multiple Username Formats
Multiple username formats are now supported for User-ID
sources when you specify the user attributes for the firewall to
collect from an LDAP directory.
The firewall can now identify a user even
if different User-ID sources send usernames in different formats.
For example, a single user may have multiple usernames that are
represented in different formats (
jane.doe@domain.com
, DOMAIN\jdoe
, jdoe
)The
usernames are matched based on the user attributes that the firewall
reads from the LDAP-compliant directory. You can specify which user
attributes to collect from the directory using the Group Mapping profile.
Because the
firewall now supports multiple user attributes, you should specify
an attribute as the Primary Username for users. The
primary username represents the user in the logs, reports, and in
the policy configuration.
If your User-ID sources send usernames
without an associated domain and your usernames are unique, you
can also configure the firewall to not consider the domain when
matching users. If you enable this option and the firewall finds
more than one matching username, an error displays to indicate the
username is not unique.
- SelectandDeviceUser IdentificationGroup Mapping SettingsAddGroup Mapping using the LDAP server profile you added in the previous step.
- Specify thePrimary Usernamethat will identify users in reports and logs and optionally specify theDirectory Attributefor users or groups, thenCommityour changes.When you select the Server ProfileType, the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes. For more information, refer to Map Users to Groups.
- For users:
- Selectand specify aDeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesPrimary Username(for example,userPrincipalNameorsAMAccountName).If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in thedomain\usernameformat as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed asusername@domain, notdomain\username.
- (Optional)Specify additional alternateUser Attributesto identify users, such as anE-Mailor up to threeAlternate Usernames.
- For groups:
- Select.DeviceUser IdentificationGroup MappingAddUser and Group Attributes
- SpecifyGroup Attributessuch as theGroup Name,Group Member, orE-Mail.
- Use the groups and usernames that the group mapping profile collects to Enable User- and Group-Based Policy.(Optional)If your User-ID sources only send the username and the username is unique across the organization, selectandDeviceUser IdentificationPalo Alto Networks User-ID Agent SetupCacheEdittoAllow matching usernames without domainto allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile. This option is disabled by default.Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
- Map users based on information from User-ID sources by configuring User-ID to gather IP-user mappings from sources using the PAN-OS integrated User-ID agent or the Windows User-ID Agent.
- Verify the user mapping is successful:
- To verify the Group Mapping configuration, select theGroup Include Listto confirm the firewall has fetched all of the groups.
- To verify all the user attributes have been captured correctly, use theshow user user-attributes user allcommand.
- Verify the usernames are displayed correctly in theSource Usercolumn of the Monitor tab.
- Selectand check theMonitor > Logs > User-IDUser Provided by Sourcecolumn to verify the users are mapped to the correct username.
Recommended For You
Recommended Videos
Recommended videos not found.