https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2975#M2210 <HTML><HEAD></HEAD><BODY><P>I'm still struggling trying to authenticate a group of users as Palo Alto admins. These users are not in any one particular group. I get the error 'Authentication profile not found for the user' . I just want to create a list of ids for Palo Alto to query AD for using LDAP. Is the problem that PA will only search for groups or at a particular search base DN ? It cant search nested groups.</P><P></P><P>I also am lost on how to turn debugging on just for this process. It would be good to see what the PA queries for.</P><P></P><P>A 'test authentication' applet in the GUI might be a good thing to add.</P><P></P><P>Any help would be appreciated.</P></BODY></HTML> Wed, 02 Mar 2011 16:13:11 GMT jickfoo 2011-03-02T16:13:11Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2964#M2199 <HTML><HEAD></HEAD><BODY><P>Hi Support team,</P><P></P><P>I tried to authenticate admin with RADIUS, but failed.</P><P>The following message appeared in System logs:</P><P><EM>- User 'komure' failed authentication. Reason: User is&nbsp; not in allowlist</EM></P><P></P><P>What does it mean?</P><P></P><P>device : PA-500</P><P>PANOS : 3.1.0</P><P></P><P>Regards,</P><P>Tomoyuki Komure</P></BODY></HTML> Fri, 16 Apr 2010 07:18:24 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2964#M2199 migration 2010-04-16T07:18:24Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2965#M2200 <HTML><HEAD></HEAD><BODY><P>I add the same error but with ldap and ssl, and i switch the authentication profile (that i add LDAP) and switch to authentication none. I add to include the group where the users belongs to. In radius you can check the user group that the user belongs. </P><P>And worked for me.</P><P>Thks.</P><P>Helder Teixeira</P></BODY></HTML> Fri, 16 Apr 2010 15:37:27 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2965#M2200 helder_teixeira 2010-04-16T15:37:27Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2966#M2201 <HTML><HEAD></HEAD><BODY><P>last update i´ve got some users working with; (DOMAIN\username) and others with (DOMAIN\\username) give it and try. </P></BODY></HTML> Fri, 16 Apr 2010 16:37:46 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2966#M2201 helder_teixeira 2010-04-16T16:37:46Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2967#M2202 <HTML><HEAD></HEAD><BODY><P>If you are using RADIUS for authentication, it's going to be two parts. First, you must allow the RADIUS authentication. I would pick a global group like "Authenticated Users" or "Domain Users" in your RADIUS policy.</P><P></P><P>Then you have to allow the user in either the Administrators list under the Device tab, or the Authentication Profile you are using for your SSL VPN.</P></BODY></HTML> Thu, 22 Apr 2010 15:12:32 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2967#M2202 mharding 2010-04-22T15:12:32Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2968#M2203 <HTML><HEAD></HEAD><BODY><P>Could some one please post a working example of administrator authentication via LDAP?</P><P></P><P>I have many non-Palo devices working like a treat but I can't seem to get the Palo to work!</P><P></P><P>I can't even find anything in the log and doing a debug ldap-server stats shows the server as not running!</P><P></P><P>If there a better way to test? Some log that may indicate as to why it is not making a connection e.g. invalid bind DN etc?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 27 Apr 2010 16:15:32 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2968#M2203 sunny_gill 2010-04-27T16:15:32Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2969#M2204 <HTML><HEAD></HEAD><BODY><P>I believe you can only use RADUIS if you want to authenticate an administrative user to the PAN Device. I see two options when configuring a new administrative user, Local DB and RADIUS.</P><P></P><P>You can use the PAN Agent to authenticate users using LDAP if you want to setup security policies with source users.</P></BODY></HTML> Wed, 28 Apr 2010 20:14:46 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2969#M2204 mharding 2010-04-28T20:14:46Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2970#M2205 <HTML><HEAD></HEAD><BODY><P>Starting in version 3.1.x, you can define authentication profile which uses local DB, Radius, or LDAP.&nbsp; The administrators can be authenticated to the profile of your choosing and admin auth can use&nbsp; local DB, Radius, or LDAP.</P></BODY></HTML> Wed, 28 Apr 2010 22:46:17 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2970#M2205 rmonvon 2010-04-28T22:46:17Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2971#M2206 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've been strugling with this also but I think I got this working (adding the user 'all' to the allow list,...).</P><P></P><P>Please see attached PDF file for a step by step guide en let me know the result.</P><P></P><P>regards,</P><P>Philippe</P></BODY></HTML> Thu, 23 Sep 2010 12:56:45 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2971#M2206 philippe_boeij 2010-09-23T12:56:45Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2972#M2207 <HTML><HEAD></HEAD><BODY><P>Thank you for the write-up and sharing with all of us!!</P></BODY></HTML> Thu, 23 Sep 2010 14:03:38 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2972#M2207 rmonvon 2010-09-23T14:03:38Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2973#M2208 <HTML><HEAD></HEAD><BODY><P>Thank you. This helps!</P></BODY></HTML> Tue, 30 Nov 2010 18:02:08 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2973#M2208 rapoint_person 2010-11-30T18:02:08Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2974#M2209 <HTML><HEAD></HEAD><BODY><P>Brilliant.&nbsp; <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp; Thanks for the great write-up.&nbsp; I have spent a few hours troubling with this. </P><P></P><P>Arnljot</P></BODY></HTML> Tue, 07 Dec 2010 00:51:46 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2974#M2209 aseem 2010-12-07T00:51:46Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2975#M2210 <HTML><HEAD></HEAD><BODY><P>I'm still struggling trying to authenticate a group of users as Palo Alto admins. These users are not in any one particular group. I get the error 'Authentication profile not found for the user' . I just want to create a list of ids for Palo Alto to query AD for using LDAP. Is the problem that PA will only search for groups or at a particular search base DN ? It cant search nested groups.</P><P></P><P>I also am lost on how to turn debugging on just for this process. It would be good to see what the PA queries for.</P><P></P><P>A 'test authentication' applet in the GUI might be a good thing to add.</P><P></P><P>Any help would be appreciated.</P></BODY></HTML> Wed, 02 Mar 2011 16:13:11 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2975#M2210 jickfoo 2011-03-02T16:13:11Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2976#M2211 <HTML><HEAD></HEAD><BODY><P>You can define an Authentication Profile, use LDAP for the auth method, and type in 'all' for the allow user.&nbsp; The 'all' means any users in your AD/LDAP will valid username/password will be permit as an admin.&nbsp; I use this to for testing only.&nbsp; NOTE: 'all' is really all without the quotes.</P><P></P><P>Once that works, you then permit specific users or groups to be admins by replacing the 'all' with actual AD usernames/groups.</P></BODY></HTML> Wed, 02 Mar 2011 16:35:59 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2976#M2211 rmonvon 2011-03-02T16:35:59Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2977#M2212 <HTML><HEAD></HEAD><BODY><P>you mean in the auth profile I add all ? Like in the attached picture ? Cause that didnt work. </P><P></P><P>What do you use for login attribute ? sAMAccountName ?</P></BODY></HTML> Wed, 02 Mar 2011 17:07:40 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2977#M2212 jickfoo 2011-03-02T17:07:40Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2978#M2213 <HTML><HEAD></HEAD><BODY><P>That's correct - for LDAP, you also need to add the user here:</P><P><IMG alt="Screen shot 2011-03-02 at 18.51.50.png" class="jive-image-thumbnail jive-image" onclick="" src="https://live.paloaltonetworks.com/legacyfs/online/2247_Screen shot 2011-03-02 at 18.51.50.png" width="450" /></P><P></P><P>This is why RADIUS can be more scaleable if you have a high number of admins:</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1701">https://live.paloaltonetworks.com/docs/DOC-1701</A></P><P></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Wed, 02 Mar 2011 18:54:28 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2978#M2213 James 2011-03-02T18:54:28Z https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2979#M2214 <HTML><HEAD></HEAD><BODY><P> Thanks that worked.</P></BODY></HTML> Wed, 02 Mar 2011 20:28:28 GMT https://live.paloaltonetworks.com/t5/general-topics/admin-auth-failed/m-p/2979#M2214 jickfoo 2011-03-02T20:28:28Z