i'm setting up PSA7000 with Active Directory integration for Authentication and Authorization (standard mode).
Authentication of users works well, however i'm not able to do role mappings based on rule.
When I perform a Policy trace it seems that the appliance isn't able to gather groups informations. I get something like:
Variable groups =
No match on rule 'groups = ('MyGroup')
Realm MyREALM did not map user Domain\MyUser to any roles
Sign-in rejected. Reason: No Roles
Thanks to the troubleshooting tools (in the Auth Server section), I performed a "User acess test" with a domain account and through the debug i'm able to see all the groups the user is attached to. Domain join is Green and "Basic verification" works well also. My issue come with role mapping, groups are not retrived..
May be some one have a clue about this problem ? I saw on some forums that the workaround would be to switch Authorization from Active Directory to LDAP lookup.. but i cannot understand why it doesn't work with AD as it is able to gather all groups through Troubleshooting tools..
Are you able to see all the groups being pulled when using the server catalog? i.e. role mapping >> new >> group membership (from the drop-down) >> update >> groups >> Server catalog >> Groups tab >> Search >> All groups present on the AD should be listed.
If yes, then adding the selected group and use it to create a role mapping rule should be working without any issues.