Environment - This article applies to Aruba OS and Aruba Instant OS.
Answer - User-Identification (User-ID) feature of the Palo Alto Networks (PAN) firewall allows network administrators to configure and enforce firewall policies based on user and user groups. User-ID identifies the user on the network based on the IP address of the device which the user is logged into. Additionally, firewall policy can be applied based on the type of device the user is using to connect to the network. Since the Aruba controller maintains the network and user information of the clients on the network, it is the best source to provide the information for the User-ID feature on the PAN firewall.For the User-ID feature to work, the username should be in the format DOMAIN\USERNAME as Palo Alto Networks firewall user/group-mapping format understands only DOMAIN\USERNAME.If the username is in the format username or email@example.com, PAN will not be able to process the user groups mapping.In the Aruba Controller / Aruba Instant AP, we dont have the option to add the domain-name to the username and its mandate the user-name should be in the format DOMAIN\USERNAME for the user groups mapping.Below is the sample output from PAN without the domain, PAN was not able to map the user groups.pan-test-user@PA-500> show user ip-user-mapping ip 10.68.105.24IP address: 10.68.105.24 (vsys1)User: test.userFrom: XMLAPIIdle Timeout: 1559sMax. TTL: 1559sGroups that the user belongs to (used in policy) <====== Group is not mappedBelow is the sample output from PAN with the domain, PAN was able to map the user groups.pan-test-user@PA-500> show user ip-user-mapping ip 10.68.105.24IP address: 10.68.105.24 (vsys1)User: aruba\test.userFrom: XMLAPIIdle Timeout: 1559sMax. TTL: 1559sGroups that the user belongs to (used in policy)Group(s): cn=employee,ou=staff,dc=aruba,dc=com <====== Group is mapped
I noticied that workaround using "DOMAIN\USERNAME" format, doesn't work when Controller is configured with EAP termination and LDAP integration for authentication.
LDAP authentication fails and only works using "USERNAME" only.
Do you know if automatic domain addition (similarly to ClearPass function) is in road map for future ArubaOS or InstantOS?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.