In PAN-OS 8.1, usernames are now displayed in their original
UPN format and a Primary Username is required. Some User Mapping
and Group Mapping options have been moved.
PAN-OS 8.1 has the following change in default behavior
for User-ID features:
Feature
Change
Support for Multiple Username Formats
Since multiple username attributes
are supported, you must select the primary username attribute that
you want to use.
Previously, the firewall normalized usernames received from User-ID
sources (such as an LDAP directory) to the
domain\username
format.
In PAN-OS 8.1, when the
Primary Username
is
in UPN format, it will not be normalized as in previous PAN-OS versions.
As a result, usernames are displayed on the web interface in their
original format (for example,
username@domain
).
If you use a Certificate Profile for authentication and the
username is Subject Alt, the firewall does not drop the domain name
from the email or Principal Name.
To support multiple username formats, some web interface options
were moved (refer to the callouts in the following screenshots):
(1) The
Device
User Identification
Group Mapping Settings
Server Profile
User Objects
User Name
option
has been moved to
Device
User Identification
Group Mapping Settings
User and
Group Attributes
User Attributes
.
(3) The
Device
User Identification
Group Mapping Settings
Server Profile
Group Objects
Group Name
and
Group Member
options have been
moved to
Device
User Identification
Group Mapping Settings
User and
Group Attributes
Group Attributes
.
(2) The Mail Domains section previously configured in
Device
User Identification
Group Mapping Settings
Server Profile
was
moved to the User Attributes and Group Attributes settings in