topic Re: AD Group for Authentication in General Topics

AD Group for Authentication

dusk2dusk — Tue, 04 Nov 2014 17:33:00 GMT

Let's say I have 150 users in an AD group and I need to give them all login access to my Palo Alto device farm. How do I do that?

Re: AD Group for Authentication

ssharma — Tue, 04 Nov 2014 17:40:22 GMT

dusk2dusk

This document has the information that you are looking for :

Using LDAP to Authenticate to the WebUI

This document is also applicable for CLI access as well. Thank you.

Re: AD Group for Authentication

Retired Member — Tue, 04 Nov 2014 17:40:23 GMT

you mean user's will login to paloalto ?

Just create an LDAP profile and use that with Authentication profile.

Then you'll choose that Auth. profile when creating users.

Re: AD Group for Authentication

jambulo — Tue, 04 Nov 2014 17:41:49 GMT

One way is to use the User-ID Agent to map AD usernames to IP addresses(the PA reads the AD auth logs). Then, use the Group Mapping function to pull in users/groups from AD.

EDIT: Just re-read your question. The above will allow you to apply usernames to security policies, not the PA WebUI.

Re: AD Group for Authentication

dusk2dusk — Tue, 04 Nov 2014 17:47:06 GMT

I guess I need to be more clear. I have 150 network engineers\system admins I need to give access to my Palo Alto's for management/viewing purposes. They are all in one AD group. Given the size of this group and it constantly changing for user roles and terminations there is no way I can manually manage this number of individual entries in each device.

Re: AD Group for Authentication

ssharma — Tue, 04 Nov 2014 18:06:06 GMT

In that case Radius authentication would be more appropriate as you do not have to configure Administrators information on the device. You can add/delete/modify users on back end. Each time engineers/system admin tries to access, firewall will contact Radius server and assign appropriate privileges to the users.

With LDAP, you will need to configure each 150 admins and modify each time there is a change with there privileges level. Hope this helps. Thank you.

Re: AD Group for Authentication

HULK — Tue, 04 Nov 2014 18:13:37 GMT

You may check this doc:

Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

Thanks

Re: AD Group for Authentication

dusk2dusk — Tue, 04 Nov 2014 18:16:28 GMT

Thank You ssharma. I guess I am wondering, with all the LDAP group info you can get in the Palo Alto along with direct Kerberos authentication, why on earth do we need to go through the laborious process of using customized RADIUS? I mean, we're already pulling that group info into the LDAP profile. Wouldn't it be a very easy thing to add group authentication straight off LDAP in PanOS code? It just seems odd not to have group auth as an option for LDAP. Unless there's a reason not to do it that way, I would like to submit a big Feature Request for this. It's rubbing many shades of the shine off of "AD Integration" after coming from traditional like ScreenOS etc.

Re: AD Group for Authentication

ssharma — Tue, 04 Nov 2014 18:32:06 GMT

I understand your concern. But unlike Radius, LDAP doesnot support VSA (vendor specific attribute), where PA can go out and query for users group association and their privilege levels. That is why we need to configure all users for LDAP.

You can certainly contact your local sales /system engineer for a feature request. Hope this helps. Thank you.

Re: AD Group for Authentication

dusk2dusk — Tue, 04 Nov 2014 18:37:07 GMT

Thanks for the Suggestion HULK. I located the RADIUS VSA document as well. Trying to figure out if I want to go to 802.1x as well so maybe NPS is the way to go.