Has anyone found a way around this issue below (or, is it possible and I'm simply doing something wrong?)
Summary of the issue - users connect using AD credentials via Clearpass, Clearpass sends information to Palo Alto Firewall, Palo Alto Firewall uses those credentials in firewall rules to control internet access.
The problem we have here is that when user information is sent from Clearpass to the Palo Alto, the user AD GROUP is not sent.
That is to say:
STUDENT\JBLOGGS
Gets passed to Palo Alto simply as:
JBLOGGS
Which makes it difficult to do the right user ID firewall rules on the Palo Alto.
So, is this possible and we're just doing something wrong, or is there a way around it? We considered a workaround of assigning the different groups of users to different VLANS but that just seemed far too messy and complicated.
Cheers!