Support for Multiple Username Formats

Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory.
The firewall can now identify a user even if different User-ID sources send usernames in different formats. For example, a single user may have multiple usernames that are represented in different formats (
jane.doe@domain.com
,
DOMAIN\jdoe
,
jdoe
)
The usernames are matched based on the user attributes that the firewall reads from the LDAP-compliant directory. You can specify which user attributes to collect from the directory using the Group Mapping profile.
Because the firewall now supports multiple user attributes, you should specify an attribute as the
Primary Username
for users. The primary username represents the user in the logs, reports, and in the policy configuration.
If your User-ID sources send usernames without an associated domain and your usernames are unique, you can also configure the firewall to not consider the domain when matching users. If you enable this option and the firewall finds more than one matching username, an error displays to indicate the username is not unique.
  1. Select
    Device
    Server Profiles
    LDAP
    and
    Add
    an LDAP server profile.
  2. Select
    Device
    User Identification
    Group Mapping Settings
    and
    Add
    Group Mapping using the LDAP server profile you added in the previous step.
  3. Specify the
    Primary Username
    that will identify users in reports and logs and optionally specify the
    Directory Attribute
    for users or groups, then
    Commit
    your changes.
    When you select the Server Profile
    Type
    , the firewall auto-populates the values for the user and group attributes. Based on the user information that your User-ID sources send, you may need to configure the correct attributes. For more information, refer to Map Users to Groups.
    • For users:
      1. Select
        Device
        User Identification
        Group Mapping Settings
        Add
        User and Group Attributes
        and specify a
        Primary Username
        (for example,
        userPrincipalName
        or
        sAMAccountName
        ).
        If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in the
        domain\username
        format as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed as
        username@domain
        , not
        domain\username
        .
      2. (Optional)
        Specify additional alternate
        User Attributes
        to identify users, such as an
        E-Mail
        or up to three
        Alternate Usernames
        .
    • For groups:
      1. Select
        Device
        User Identification
        Group Mapping
        Add
        User and Group Attributes
        .
      2. Specify
        Group Attributes
        such as the
        Group Name
        ,
        Group Member
        , or
        E-Mail
        .
    multiple_username_formats_group_mapping_user_and_group_attributes.png
  4. Use the groups and usernames that the group mapping profile collects to Enable User- and Group-Based Policy.
    (Optional)
    If your User-ID sources only send the username and the username is unique across the organization, select
    Device
    User Identification
    Palo Alto Networks User-ID Agent Setup
    Cache
    and
    Edit
    to
    Allow matching usernames without domain
    to allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile. This option is disabled by default.
    Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
    multiple_username_formats_cache_allow_matching_usernames_without_domains.png
  5. Map users based on information from User-ID sources by configuring User-ID to gather IP-user mappings from sources using the PAN-OS integrated User-ID agent or the Windows User-ID Agent.
  6. Verify the user mapping is successful:
    • To verify the Group Mapping configuration, select the
      Group Include List
      to confirm the firewall has fetched all of the groups.
    • To verify all the user attributes have been captured correctly, use the
      show user user-attributes user all
      command.
    • Verify the usernames are displayed correctly in the
      Source User
      column of the Monitor tab.
    • Select
      Monitor > Logs > User-ID
      and check the
      User Provided by Source
      column to verify the users are mapped to the correct username.

Related Documentation