topic Re: User is not in allowlist in General Topics

User is not in allowlist

will74103 — Mon, 27 Sep 2010 21:01:11 GMT

Running PAN 2020 v3.1.4 using LDAP authentication with eDirectory. I have a userid that will not authenticate via Captive portal. I am seeing a " User is not in allowlist" error in the System Log.

I have verified that the userid in quesiton is in Server group. That Server Group is referenced by a Security policy as the source User. I have verified using "show user ldap-server server all" that the username in question does appear in the list on the paloalto.

As an FYI this same userid authenticates fine via the ldap agent. If I run a show user ip-user-mapping for the IP address of a system that is logged in via the agent it correctly shows the userid as being in the group called out by a security policy.

At this point, I am not seeing what is holding this up. If that userid has logged in via the agent already on another box, would that somehow prevent that userid from logging in via captive portal on another system?

What should I be checking to troubleshoot this problem?

Thanks.

Re: User is not in allowlist

James — Mon, 27 Sep 2010 21:47:22 GMT

Hi There,

You need to edit the allow list. These links should answer your problem:

https://live.paloaltonetworks.com/message/1779#1779

https://live.paloaltonetworks.com/message/3103#3103

Thanks

James

Re: User is not in allowlist

rahmant — Tue, 28 Sep 2010 16:30:21 GMT

Can you try adding the user directly to the allowlist instead of using the group? Not permanently, but just to ensure that the general mapping is working. If that works, then it's something to do with group enumeration.

Tariq

Re: User is not in allowlist

will74103 — Tue, 28 Sep 2010 17:46:37 GMT

I got the problem resolved. This particular userid had not been added to the group referenced by the Authentication policy. Once added, it began working.

This is a new installation and I simply forgot that the Authentication policy references an LDAP group.