topic Re: LDAP (Active directory) Authentication for administrators in General Topics

LDAP (Active directory) Authentication for administrators

soporteseguridad — Tue, 02 Jul 2013 06:01:46 GMT

Hi,

Im trying to configure my PA to validate with my AD to can manage it. I have create a group in my Active Directory called (com_cos), this group has the user to manage the PA. I have add this group in Group mapping and Authentication profile (Allowlist) but it seems like the PA has any problem with the group in AD.

This is output error: User 'csg.es\as' failed authentication. Reason: User is not in allowlist From: 172.16.28.133.

I attach the config

Best regards,

Thanks

Re: LDAP (Active directory) Authentication for administrators

sraghunandan — Tue, 02 Jul 2013 06:05:50 GMT

Can you try using the netbios name i.e just cgs under the domain filed in your LDAP server profile.

Re: LDAP (Active directory) Authentication for administrators

soporteseguridad — Tue, 02 Jul 2013 08:14:03 GMT

I tried it and it didnt work .....

Re: LDAP (Active directory) Authentication for administrators

Retired Member — Tue, 02 Jul 2013 08:18:53 GMT

try to refresh group mapping

clear all user cache

1- clear user-cache and clear user-cache-mp

2- debug user-id refresh group-mapping all

try again.

Re: LDAP (Active directory) Authentication for administrators

soporteseguridad — Tue, 02 Jul 2013 08:54:46 GMT

i jus tried and not working

this is the error output

User 'CSG\jeca' failed authentication. Reason: User is not in allowlist From: 172.16.28.135.

do i need to configure something in AD in order to PA can read the groups????

Re: LDAP (Active directory) Authentication for administrators

Retired Member — Tue, 02 Jul 2013 09:00:04 GMT

write a security rule for that group

after commit look for the user information from cli if you see the group or not

show user ip-user-mapping ip

Re: LDAP (Active directory) Authentication for administrators

UhMayYeah — Tue, 02 Jul 2013 09:02:43 GMT

With LDAP,you would have to define each user in the AD group ,on the firewall ,as an Administrator.

For AD group-based Authentication ,you can use Radius Refer: Radius Vendor Specific Attributes (VSA)

Re: LDAP (Active directory) Authentication for administrators

soporteseguridad — Tue, 02 Jul 2013 09:26:26 GMT

Its not working the user is assgined to the correct group.......but i dont know why its not allowed in the list

User 'CSG\jeca' failed authentication. Reason: User is not in allowlist From: 172.16.28.135.

IP address: 172.16.28.135 (vsys1)

User: csg\jeca

From: UIA

Idle Timeout: 2933s

Max. TTL: 2933s

Groups that the user belongs to (used in policy)

Group(s): cn=com_cos,cn=users,dc=csg,dc=es

Re: LDAP (Active directory) Authentication for administrators

UhMayYeah — Tue, 02 Jul 2013 09:33:20 GMT

Change the Allow-list to all as AD Group_based Auth for FW Admin is not possible using LDAP.

You can authenticate individual AD users.

So to authenticate user csg\jeca

Create a local Admin under Device>Administrators called jeca and assign it with Auth Profile using Server profile LDAP

Make sure you change the the Allow-list to all in the Auth Profile

Re: LDAP (Active directory) Authentication for administrators

soporteseguridad — Tue, 02 Jul 2013 09:43:54 GMT

Yes i had that configuration before, but its quite annoying to create a user in PA each time that user go in the company. it would be easier that PA could auth with AD groups in this way i only would have to create the user in ldap and the PA use the LDAP group............

Ok ill revert the conf........thanks

Re: LDAP (Active directory) Authentication for administrators

UhMayYeah — Tue, 02 Jul 2013 10:30:53 GMT

Just to reiterate ,you can use Radius for AD-Group based Admin Authentication Refer: Radius Vendor Specific Attributes (VSA)

Re: LDAP (Active directory) Authentication for administrators

arvesynd — Wed, 03 Jul 2013 10:13:36 GMT

Hi,

I had the exact same problem with my LDAP-login.

For domain, you need to enter the Netbios name, not the FQDN, as the users are identified as domain\username, not domain.com\username.

In your case, domain should simply be "csg", not "csg.es".

When logging in I would try to first go ahead without specifying the domain, and if that doesn't work, try domain\username.

If you've been having trouble with policies based on AD-groups not working, this will also solve that problem.

Another thing I noticed is the Bind DN, this is the entire DN, and it seems like you have typed the username of the Palo Alto firewall user?

To make sure you get this right, open Active Directory Users and Computers on your Active Directory server, select the user properties and go to the Attribute Editor. (go to View, and select Advanced Features to get this option)

Copy the contents of the field distinguishedName.

Hope this helps.

Re: LDAP (Active directory) Authentication for administrators

UhMayYeah — Wed, 17 Jul 2013 21:23:58 GMT

When you try to configure this using CLI ,it clearly suggests that Only RADIUS method is supported for

for non-local admins

# set deviceconfig system authentication-profile

<value> Authentication profile to use for non-local admins. Only RADIUS method is supported.

So if you need to use AD groups for admins not configured locally you need RADIUS.

Re: LDAP (Active directory) Authentication for administrators

IanJohnston — Mon, 19 Aug 2013 14:49:39 GMT

I have a similar issue: I have several outside vendors defined as local users, they can log on to a 'captive portal' and then connect to a server in our DMZ. The users are created, enabled, and added to a user group; and also added to the users column of the policy allowing them to connect to the server - basically any source, these users, that destination, https. Of the two users I have added one is working fine but the other fails at the firewall authentication with the system log message: User '<name>' failed authentication. Reason: User is not in allowlist From: <remote IP>.

Anyone have any ideas where I should be looking for an answer?

Thanks

Ian

Re: LDAP (Active directory) Authentication for administrators

VinceM — Wed, 21 Aug 2013 11:59:32 GMT

Hi,

Keep in mind that for creating new PA's admin, the amin account has to exist in your AD and you have to recreate it in the administrator menu in the palo.

Hope help.

Re: LDAP (Active directory) Authentication for administrators

Gururaj — Wed, 21 Aug 2013 12:23:47 GMT

Hi,.

As per my knowledge,.. you can't create group based authentication (correct me if i am wrong), instead create a admin with the unique user name as in the AD. Below snaps shows the same.

Create a auth profile.

Create a new administrator. In the below snap, Name : nithin is same as in the AD ( Name should match the user name in the AD)

Regards,

Gururaj