topic Re: Panorama 4.1.8 LDAP Failure in General Topics

Panorama 4.1.8 LDAP Failure

sitecore — Tue, 25 Sep 2012 11:24:53 GMT

Having upgraded our Panorama from 4.1.7 to 4.1.8 - we can no longer use the LDAP user authentication.

The user constantly gets "invalid username or password" (same message on the Panorama) - yet this worked without any problems with 4.1.7

On Panorama - one can see that in the LDAP profile - the Base option is never getting populated (dropdown option is only "none" rather than domain name).

Is this a new "feature" ?

JørgeDA

Re: Panorama 4.1.8 LDAP Failure

tstokkeland — Tue, 25 Sep 2012 12:10:28 GMT

I am having the exact same issue on a PA-2050 and on panorama - I am downgrading for the time being...

Re: Panorama 4.1.8 LDAP Failure

jochristian — Tue, 25 Sep 2012 12:32:28 GMT

Hello,

We are having the same/similar issue on a PA-2050 and on Panorama.

The reason why I write similar is because I noticed the problem after not being able to log into the PA at all after upgrading after some time.

When I looked at the cpu usage on the PA (show system resources follow) it showed that the authd is using 100% cpu and this "blocks" all other attempts to authenticate on the PA (localusers, radius, ldap etc..).

I still had problems after downgrading to version 4.1.7, but then I noticed a error message in the systemlog regarding ldap not being able to connect to the ldap server on SSL..

I disabled SSL and changed the ldap port to 389 and everything seems to be working OK.

I have opened up a case on support (#00096705) and the issue has been escalated to TAC.

Jo Christian

Re: Panorama 4.1.8 LDAP Failure

tstokkeland — Tue, 25 Sep 2012 12:34:15 GMT

just more fyi - I downgraded my pa-2050 and ldap auth (for admin login) started working again - leaving my panorama at 4.1.8 for now in hopes of a fix coming soon

Re: Panorama 4.1.8 LDAP Failure

EdwinD — Tue, 25 Sep 2012 19:31:25 GMT

This is specifically LDAP authentication into the administrative website of the Palo Alto *only*, correct?

I am having other issues in 4.1.7 that I really need resolved and are known fixes in 4.1.8. I use LDAP for user based rules, however my admin users are all locally defined to the PAs.

Thanks.

Re: Panorama 4.1.8 LDAP Failure

sitecore — Wed, 26 Sep 2012 06:16:02 GMT

@ Edwin,

I would expect this to be a general LDAP issue, because I'm not able to have the LDAP server profile to see the AD correctly.

Joergen

Re: Panorama 4.1.8 LDAP Failure

sdurga — Wed, 26 Sep 2012 06:50:08 GMT

Hi guys, I was able to reproduce the same behavior my lab testing. The LDAP server profile is now (in 4.1.8) not able to see the server correctly. The LDAP server is auto populating the base server info in the earlier version but not in 4.1.8. This looks buggy. Please open a ticket with support.

Thanks,

Sandeep T

Re: Panorama 4.1.8 LDAP Failure

JoergK — Wed, 26 Sep 2012 09:25:03 GMT

same problem with Kerberos :smileyminus:

Re: Panorama 4.1.8 LDAP Failure

tstokkeland — Wed, 26 Sep 2012 12:01:03 GMT

pretty sure kerberos had an issue all along though - i was advised by TAC to use ldap/ad instead of kerb some time ago, and that fixed the issues i had then - these ldap issues now I only noticed in admin-auth, I didnt test on ssl-vpn auth before downgrading, but I dont use ldap in rules, I use user/groups but that is provided by the DC agents i believe, I dont think that was affected but I didnt test it all through

Re: Panorama 4.1.8 LDAP Failure

reaper — Thu, 27 Sep 2012 07:36:28 GMT

Please try removing the "domain" entry in the ldap/kerberos profile, this can cause issues with the actual autentication

regards

Tom

Re: Panorama 4.1.8 LDAP Failure

sitecore — Thu, 27 Sep 2012 08:45:47 GMT

Hi Tom,

Confirming that after removing the domain entry I was able to log on with my domain account.

The bind section however - will still not populate. It has to be there thou for the authentication to work.

So step forward - but not something I will try on my firewalls

Jørgen

Re: Panorama 4.1.8 LDAP Failure

JoergK — Thu, 27 Sep 2012 08:53:17 GMT

Yes, it works without "domain" entry

On prior Version it works also without this entry. So where is it used for?

Thx
Jörg

Re: Panorama 4.1.8 LDAP Failure

MGoodnow — Mon, 01 Oct 2012 16:20:48 GMT

Confirmed on PA5020 that removing the "doman" entry in Kerberos resolved login issue on 4.1.8.

Re: Panorama 4.1.8 LDAP Failure

oneidanation — Tue, 02 Oct 2012 18:30:27 GMT

Confirmed here as well on PA2050.

Re: Panorama 4.1.8 LDAP Failure

cparrish — Mon, 29 Oct 2012 15:32:11 GMT

Ive had to flip the "domain" entry setting back and forth to get LDAP to work correctly.

I would remove it, and it would work for a while....then I would have to add it back and then remove it to get it to work again.

Tech support has now suggested to me that I go back to version 4.1.7-h2

Re: Panorama 4.1.8 LDAP Failure

cparrish — Wed, 31 Oct 2012 01:59:14 GMT

Downgraded to 4.1.7h2, but the same issue popped up again.

Re: Panorama 4.1.8 LDAP Failure

sitecore — Wed, 31 Oct 2012 06:09:54 GMT

Wohaa. Thanks for that Chris. I was looking at upgrading not).

Small warning for people: The 4.1.8 also seems to fail VPN client connection using internal certificates. This might be related to the LDAP issue - not sure thou.

Joergen

Re: Panorama 4.1.8 LDAP Failure

tstokkeland — Wed, 31 Oct 2012 12:02:16 GMT

Pretty sure The VPN certificate issue is not a bug - there was a warning/release-note issued, i got an email, that mentioned the certificate must match the name of the URL, and some extra validations that the new versions of client or gateway will do, so if your cert is not created correctly it will probably cause an issue.

https://live.paloaltonetworks.com/docs/DOC-2020

I am very curios, I still havent upgraded, but with the man-in-the-middle vulnerability noted a few days ago, i will want to upgrade sooner than later... how many out there are using 4.1.8 with ldap auth successfully? in other words, are the issues common for everyone or is it just a few that have issues, meaning the solutions in this thread took care of it for most?

btw, here is the content of that email:

Announcement: GlobalProtect 1.1.7 Release Notes Announcement

created by panagent in Palo Alto Networks Live - View the announcement

GlobalProtect 1.1.7 implements enhanced checks for CA Server Certificates chain-of-trust. This change will cause some existing configurations to become invalid and may result in remote users receiving an error when connecting to the portal, or will not be able to connect if the certificate issue is present on the gateway. Before deploying the GlobalProtect Agent 1.1.7 to users, ensure that the Portal and all Gateway server certificates are valid and that the certificate Common Name (CN) fields match the FQDN or IP address of the portal and/or gateway that uses the certificate.

The SSL certificate that you use for the GlobalProtect portal/gateway should have a Common Name (CN) that matches what you configured in the portal settings. For example, if your certificate has the CN of gp.example.com, ensure that your portal configuration lists the gateway as gp.example.com and does not use an IP address and vice versa, otherwise when the GlobalProtect Agent tries to connect it will generate an error specifying that the certificate CN does not match.

Additionally, when the certificate is created, the Subject Alternative Name (SAN) must be exactly the same as the certificate's CN. If the certificate uses the CN of the DNS name, ensure that the SAN also uses the DNS name and not the IP address. A mismatch will cause the GlobalProtect Agent to recognize that the SAN is not the same as the CN and will also produce the certificate error.

If your certificates are generated by a public certificate authority, then this will be done correctly and you should not have any issues.

Refer to the following tech note for details on configuring server certificates https://live.paloaltonetworks.com/docs/DOC-2020.

Announcement expires on November 25, 2012

Re: Panorama 4.1.8 LDAP Failure

sitecore — Wed, 31 Oct 2012 12:11:20 GMT

Sorry to disappoint you - but the above issue is related to the GlobalProtect agent - not the firmware version on the firewall.

You can experience the problem they mention on any firmware level if you use GP 1.1.7

We saw the authentication problem on a PA with 4.1.8 (and GP 1.1.7). After downgrading to 4.1.7 (still GP 1.1.7) our VPN client certificate authentication worked again.

Jørgen

Re: Panorama 4.1.8 LDAP Failure

oneidanation — Wed, 31 Oct 2012 15:12:11 GMT

We have been on 4.1.8 for a few weeks now and had to remove the domain entry from the Kerberos profile to correct the authentication issue when logging into the console. We use Kerberos for our PA administrator accounts.

Did not have to remove this from the LDAP profile, the LDAP profile still has the domain name but not the FQDN. We do not use Panaorama however.

We are having other issues with Group Mappings but this has not been verified as of yet as a firmware 4.1.8 issue, currently working with Tech Support to resolve. The issue is that the PA will randomly drop the group mappings for the user so then none of the rules will match to a user group and they will get our default block policy. As a temporary fix we have to clear user-cache and user-group-cache then restart user-id.