topic Issues with Groups in Authentication Profile in General Topics

Issues with Groups in Authentication Profile

brancwa — Wed, 02 Mar 2011 12:31:53 GMT

I am have an issue with the allow list on the Authentication Profile. Up until yesterday I had an AD group name which pointer to the highest level of our tree and SSL-VPN users were not able to login, the message they got was "Invalid UserID and/or Password" I changed the allow list to "all" and now everything works, but I would like to know why I can't use a group in the allow list. These were all AD users in this group and we also have an administrators account set-up which would not use the Group "Local Users" in the allow list, so we had to insert individual users to the allow list or "All" and it works.

So to summarize, we are not able to use Groups in the allow list but we can use "all" or individual users.

Thank you.

Re: Issues with Groups in Authentication Profile

skrall — Wed, 02 Mar 2011 19:49:14 GMT

You are correct. We do not support the use of groups for Authentication Profiles using LDAP. The best option is to use RADIUS and all users. Our LDAP implementating is somewhat simple. If you create a user ID we can then use the credentials provided by the user to loginto ldap and confirm the password and user name. But this does not scale well.

Steve Krall

Re: Issues with Groups in Authentication Profile

rapoint_person — Wed, 02 Mar 2011 20:50:41 GMT

Well, there are some things you could try with RADIUS for the administrators. If you have your PAN-device admins in a AD-group you could have that group in a Network Policy server/IAS-authentication profile. That should take care of the Administrators, You can even utilize the vendor-specific attributes to give your admins the right privileges! It's a bit crude, but it works.

When it comes to the your SSLVPN users. How have you set up Authentication ? LDAP, RADIUS? If LDAP, do you filter out the groups?