Support for Multiple Username Formats
Multiple username formats are now supported for User-ID sources when you specify the user attributes for the firewall to collect from an LDAP directory.
The firewall can now identify a user even if different User-ID sources send usernames in different formats. For example, a single user may have multiple usernames that are represented in different formats (
The usernames are matched based on the user attributes that the firewall reads from the LDAP-compliant directory. You can specify which user attributes to collect from the directory using the Group Mapping profile.
Because the firewall now supports multiple user attributes, you should specify an attribute as the
Primary Usernamefor users. The primary username represents the user in the logs, reports, and in the policy configuration.
If your User-ID sources send usernames without an associated domain and your usernames are unique, you can also configure the firewall to not consider the domain when matching users. If you enable this option and the firewall finds more than one matching username, an error displays to indicate the username is not unique.
- SelectandDeviceServer ProfilesLDAPAddan LDAP server profile.
- SelectandDeviceUser IdentificationGroup Mapping SettingsAddGroup Mapping using the LDAP server profile you added in the previous step.
- Specify thePrimary Usernamethat will identify users in reports and logs and optionally specify theDirectory Attributefor users or groups, thenCommityour changes.
- For users:
- Selectand specify aDeviceUser IdentificationGroup Mapping SettingsAddUser and Group AttributesPrimary Username(for example,userPrincipalNameorsAMAccountName).If the Primary Username is in User Principal Name (UPN) format, it will not be normalized in thedomain\usernameformat as in previous versions. For example, if the Primary Username is received in the UPN format, it will be displayed asusername@domain, notdomain\username.
- (Optional)Specify additional alternateUser Attributesto identify users, such as anAlternate Usernames.
- For groups:
- Select.DeviceUser IdentificationGroup MappingAddUser and Group Attributes
- SpecifyGroup Attributessuch as theGroup Name,Group Member, or
- Use the groups and usernames that the group mapping profile collects to Enable User- and Group-Based Policy.(Optional)If your User-ID sources only send the username and the username is unique across the organization, selectandDeviceUser IdentificationPalo Alto Networks User-ID Agent SetupCacheEdittoAllow matching usernames without domainto allow the firewall to check if unique usernames collected from the LDAP server during group mapping match the users associated with a policy and avoid overwriting the domain in your source profile. This option is disabled by default.Before enabling this option, configure group mapping for the LDAP group containing the User-ID source (such as GlobalProtect or Captive Portal) that collects the mappings. After you commit the changes, the User-ID source populates the usernames without domains. Only usernames collected during group mapping can be matched without a domain. If your User-ID sources send user information in multiple formats and you enable this option, verify that the attributes collected by the firewall have a unique prefix. To ensure users are identified correctly if you enable this option, all attributes for group mapping should be unique. If the username is not unique, the firewall logs an error in the Debug logs.
- Verify the user mapping is successful:
- To verify the Group Mapping configuration, select theGroup Include Listto confirm the firewall has fetched all of the groups.
- To verify all the user attributes have been captured correctly, use theshow user user-attributes user allcommand.
- Verify the usernames are displayed correctly in theSource Usercolumn of the Monitor tab.
- Selectand check theMonitor > Logs > User-IDUser Provided by Sourcecolumn to verify the users are mapped to the correct username.