https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37747#M27663 <HTML><HEAD></HEAD><BODY><P>nevermind I got it.. DN of the id to query AD had a syntax error.</P></BODY></HTML> Mon, 25 Apr 2011 19:21:48 GMT jhickey 2011-04-25T19:21:48Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37741#M27657 <HTML><HEAD></HEAD><BODY><P>Is it possible to authenticate users using their AD credentials when they log into Panorama? Short of giving administrators their own login into Panorama, I'm unable to track who has changed what.</P><P></P><P>I've read through the LDAP guide, but it focuses on the actual security devices and not Panorama.</P><P></P><P>Has anyone done this or know if it is possible?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 13 Jul 2010 15:55:41 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37741#M27657 robert.b 2010-07-13T15:55:41Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37742#M27658 <HTML><HEAD></HEAD><BODY><P>Yes, but you'll need a RADIUS server. You'll add the Panorama to the RADIUS clients using the RADIUS standard client-vendor attributes. Then create a strong password for the shared secret. Write that down, and we'll come back to that next.</P><P></P><P>Then you'll need to add the RADIUS policies. For a Windows RADIUS server, we use the "Client Friendly Name Matches" and use the name of the RADIUS client you just added, and "Windows-Groups matches" for the group of users you want to authenticate.</P><P></P><P>Then click on the "Edit Profile" button. Under the authentication tab, check everything but "Encrypted authentication (CHAP)" and "Allows clients to connect without negotiation an authenticate method."</P><P></P><P>Then stop and start the RADIUS server.</P><P></P><P>Then create a RADIUS profile in Panorama. Added the IP address of the RADIUS server and enter to shared secret you assigned for that server. Then you should be able to add the administrative user's short name, and select the checkbox for RADIUS authentication. Commit the change and try it out.</P><P></P><P>I think that's everything we had to do to make it work.</P></BODY></HTML> Tue, 13 Jul 2010 18:28:20 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37742#M27658 mharding 2010-07-13T18:28:20Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37743#M27659 <HTML><HEAD></HEAD><BODY><P>Thanks, I'll see if we can get the Windows IAS installed.</P><P></P><P>Pity it can't just use LDAP!</P></BODY></HTML> Wed, 14 Jul 2010 07:23:16 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37743#M27659 robert.b 2010-07-14T07:23:16Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37744#M27660 <HTML><HEAD></HEAD><BODY><P>If it can, I haven't bothered. We set it up before PAN OS 3.1.</P></BODY></HTML> Wed, 14 Jul 2010 13:00:22 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37744#M27660 mharding 2010-07-14T13:00:22Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37745#M27661 <HTML><HEAD></HEAD><BODY><P>You should be able to use LDAP directly for checking the account credentials but you would still need to setup the admin accounts within Panorama as it will only use the LDAP connection for checking the password. If you want to avoid setting up the accounts explicitly, you can use RADIUS VSAs to have Panorama (or the device) leverage directory information to determine which accounts should have access to the system (and what level of access).</P><P></P><P>Mike</P></BODY></HTML> Fri, 23 Jul 2010 17:42:17 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37745#M27661 mjacobsen 2010-07-23T17:42:17Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37746#M27662 <HTML><HEAD></HEAD><BODY><P>Mike, I cant get this to work. I set up AD Admin auth just like it is setup on my firewalls. I get invalid username/password.</P></BODY></HTML> Mon, 25 Apr 2011 19:15:21 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37746#M27662 jhickey 2011-04-25T19:15:21Z https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37747#M27663 <HTML><HEAD></HEAD><BODY><P>nevermind I got it.. DN of the id to query AD had a syntax error.</P></BODY></HTML> Mon, 25 Apr 2011 19:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/authenticating-panorama-users-with-ad/m-p/37747#M27663 jhickey 2011-04-25T19:21:48Z