1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. User-ID Features
    5. Support for Multiple Username Formats

    Support for Multiple Username Formats

    Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory.
    The firewall can now identify a user even if different User-ID sources send usernames in different formats. For example, a single user may have multiple usernames that are represented in different formats (
    jane.doe@domain.com
    ,
    DOMAIN\jdoe
    ,
    jdoe
    )
    The usernames are matched based on the user attributes that the firewall reads from the LDAP-compliant directory. You can specify which user attributes to collect from the directory using the Group Mapping profile.
    Because the firewall now supports multiple user attributes, you should specify an attribute as the
    Primary Username
     for users. The primary username represents the user in the logs, reports, and in the policy configuration.
    If your User-ID sources send usernames without an associated domain and your usernames are unique, you can also configure the firewall to not consider the domain when matching users. If you enable this option and the firewall finds more than one matching username, an error displays to indicate the username is not unique.
    1. Select
      Device
      Server Profiles
      LDAP
       and
      Add
       an LDAP server profile.
    2. Select
      Device
      User Identification
      Group Mapping Settings
       and
      Add
      Group Mapping using the LDAP server profile you added in the previous step.
    3. Specify the
      Primary Username
       that will identify users in reports and logs and optionally specify the
      Directory Attribute
       for users or groups, then
      Commit
       your changes.
      When you select the Server Profile
      Type
      , the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes. For more information, refer to Map Users to Groups.
      • For users:
        1. Select
          Device
          User Identification
          Group Mapping Settings
          Add
          User and Group Attributes
           and specify a
          Primary Username
           (for example,
          userPrincipalName
           or
          sAMAccountName
          ).
          If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in the
          domain\username
           format as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed as
          username@domain
          , not
          domain\username
          .
        2. (Optional)
           Specify additional alternate
          User Attributes
           to identify users, such as an
          E-Mail
           or up to three
          Alternate Usernames
          .
      • For groups:
        1. Select
          Device
          User Identification
          Group Mapping
          Add
          User and Group Attributes
          .
        2. Specify
          Group Attributes
           such as the
          Group Name
          ,
          Group Member
          , or
          E-Mail
          .
      multiple_username_formats_group_mapping_user_and_group_attributes.png
    4. Use the groups and usernames that the group mapping profile collects to Enable User- and Group-Based Policy.
      (Optional)
       If your User-ID sources only send the username and the username is unique across the organization, select
      Device
      User Identification
      Palo Alto Networks User-ID Agent Setup
      Cache
       and
      Edit
       to
      Allow matching usernames without domain
       to allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile. This option is disabled by default.
      Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
      multiple_username_formats_cache_allow_matching_usernames_without_domains.png
    5. Map users based on information from User-ID sources by configuring User-ID to gather IP-user mappings from sources using the PAN-OS integrated User-ID agent or the Windows User-ID Agent.
    6. Verify the user mapping is successful:
      • To verify the Group Mapping configuration, select the
        Group Include List
         to confirm the firewall has fetched all of the groups.
      • To verify all the user attributes have been captured correctly, use the
        show user user-attributes user all
         command.
      • Verify the usernames are displayed correctly in the
        Source User
         column of the Monitor tab.
      • Select
        Monitor > Logs > User-ID
         and check the
        User Provided by Source
         column to verify the users are mapped to the correct username.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo