topic Re: AD/LDAP admin authentication in 4.1 in General Topics

AD/LDAP admin authentication in 4.1

muellerm — Wed, 14 Mar 2012 17:31:21 GMT

Hi all,

does anybody have an exmple of howto authenticate a user based on it's group membership against active directory?

We have 3 kind of groups in AD which should represent the access level.

Could someone please post a small summary how to achieve this.

I tried alreday to setup LDAP Server Profile and the Authentication Profile but in the authentication profile I couldn't browse the allow list.

Maybe I missed something. When I continued with an any statement and setting up an account in the Adminsitrators tab, I wasn't able to authenticate this user.

Any ideas?

Thanks

Michael

Re: AD/LDAP admin authentication in 4.1

rmonvon — Wed, 14 Mar 2012 18:43:17 GMT

Hi...You should upgrade to PAN-OS 4.1.4 and give it another try. Thanks.

Re: AD/LDAP admin authentication in 4.1

muellerm — Fri, 16 Mar 2012 09:11:06 GMT

Hi,

thanks for the reply.

But the upgrade didn't solve the problem.

Is there a step-by-step guid avaiable which I can follow, to check if I don't miss a setp?

Michael

Re: AD/LDAP admin authentication in 4.1

rmonvon — Fri, 16 Mar 2012 14:10:07 GMT

Hi Michael...I thought the problem was that you couldn't browse the allow list in the Authen Profile. Are you able to browse the allow list under version 4.1.4? Does the LDAP admin authentication work if you set the allow list to 'All' by selecting the All checkbox?

Here's a guide on configuring Kerberos authentication in PANOS 4.0: https://live.paloaltonetworks.com/docs/DOC-1762. The procedure for the Authen Profile is basically the same as for LDAP. Maybe you can try to use Kerberos instead of LDAP.

Re: AD/LDAP admin authentication in 4.1

apackard — Fri, 16 Mar 2012 23:32:55 GMT

I'm guessing he's asking for something that I was interested in.

I have Kerberos based authentication working, so if I setup a user called BOB, and I have an AD account with the same name I can authenticate using the BOB AD password - all good.

However, what I want is to be able to link an AD group without having to create the local account - so if I add TOM to the AD group it automatically allows TOM to login to the Palo without having to create the local account to map to...

My view anyway!

Re: AD/LDAP admin authentication in 4.1

rmonvon — Sat, 17 Mar 2012 17:10:25 GMT

Within the Authentication Profile, you can permit the group(s) under the Allow List that will have admin access. Under Device tab ==> Setup ==> Authentication Settings, you then select the Authen Profile to use. Please give that a try. Thanks.

Re: AD/LDAP admin authentication in 4.1

muellerm — Mon, 19 Mar 2012 08:50:26 GMT

Hi,

the authentication is working with Kerberos thanks for the advice.

But what I'd like to have is a authentication based on the AD groups. That I don't need to create each account on the box.

Thanks

Michael

Re: AD/LDAP admin authentication in 4.1

jasbeck — Mon, 19 Mar 2012 17:54:54 GMT

I had the same issue with 4.1 (4.1.3 in my case). The documentation in the admin guide and user id agent setup fail to tell you this, but if you want to use Kerberos and not LDAP then you have to use the old user id agent 3.1 for AD. Then it will work (provided the account being used to browse has appropriate permissions). The reason being (as explained to me by tech support) is that the PAN does all the user to group mapping in 4.1.x and it only supports that via LDAP at this time.

In order to make it work with Kerberos (using Kerberos authentication profiles, sequences, and server profiles) then you have to use the 3.1 user id agent for AD. Even using 4.1.3-2 user id agent in a proxy mode will break it.