https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4364#M3230 <HTML><HEAD></HEAD><BODY><P>Hi Chetan,</P><P></P><P>Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated. </P><UL><LI>If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.</LI></UL><P><IMG alt="radius.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14272_radius.PNG" style="height: auto;" /></P><P></P><P>Regards</P><P>Aamir Khan</P></BODY></HTML> Thu, 03 Jul 2014 05:37:58 GMT Westcon2 2014-07-03T05:37:58Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4350#M3216 <HTML><HEAD></HEAD><BODY><P>Trying to create role based user account for monitoring the firewall. I tried to use ldap authentication. However it seems there is some issue with using ldap</P><P><IMG alt="pix1.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14262_pix1.PNG" style="height: 503px; width: 620px;" /></P><P>I am facing this error after trying to authentication with correct credentials and below are the logs</P><P><IMG alt="pix2.PNG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14263_pix2.PNG" style="height: 208px; width: 620px;" /></P><P>Although it shows authenticated, but still the invalid username and / or password on the GUI</P><P></P><P>Is it that it can't be done using ldap?</P><P></P><P>Regards</P><P>Aamir Khan</P></BODY></HTML> Thu, 03 Jul 2014 00:55:55 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4350#M3216 Westcon2 2014-07-03T00:55:55Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4351#M3217 <HTML><HEAD></HEAD><BODY><P>Hello Aamir,</P><P></P><P>Could you please let us know the PAN OS version running on this PAN firewall and is the&nbsp; username contains non-alphanumeric characters such as "/"...?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 03 Jul 2014 01:05:39 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4351#M3217 HULK 2014-07-03T01:05:39Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4352#M3218 <HTML><HEAD></HEAD><BODY><P>You may want to refer following document for more detail.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5177">Defining Granular Admin Role Profiles</A></P></BODY></HTML> Thu, 03 Jul 2014 01:10:51 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4352#M3218 hshah 2014-07-03T01:10:51Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4353#M3219 <HTML><HEAD></HEAD><BODY><P>I am using 6.0.3, however i test it on 6.0.1 with same result.The password is alpha numeric</P></BODY></HTML> Thu, 03 Jul 2014 01:14:56 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4353#M3219 Westcon2 2014-07-03T01:14:56Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4354#M3220 <HTML><HEAD></HEAD><BODY><P>Lets say you want to create Role based authentication for user Robert, than make sure Devcie &gt; Administrator &gt; &amp; Name is Robert, if its different it will not work.</P><P></P><P>Good news is it works with LDAP.</P></BODY></HTML> Thu, 03 Jul 2014 01:16:22 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4354#M3220 hshah 2014-07-03T01:16:22Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4355#M3221 <HTML><HEAD></HEAD><BODY><P><IMG alt="Role_Based2.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14267_Role_Based2.png" style="height: 282px; width: 620px;" /></P></BODY></HTML> Thu, 03 Jul 2014 01:18:57 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4355#M3221 hshah 2014-07-03T01:18:57Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4356#M3222 <HTML><HEAD></HEAD><BODY><P>The Problem is I am not using predefined roles. I am having custom roles.</P></BODY></HTML> Thu, 03 Jul 2014 01:22:53 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4356#M3222 Westcon2 2014-07-03T01:22:53Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4357#M3223 <HTML><HEAD></HEAD><BODY><P><IMG alt="pix3.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14268_pix3.PNG" style="height: 232px; width: 620px;" /><IMG alt="pix4.PNG" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14269_pix4.PNG" style="height: auto;" /><IMG alt="pix5.PNG" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/14270_pix5.PNG" style="height: auto;" /></P></BODY></HTML> Thu, 03 Jul 2014 01:26:57 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4357#M3223 Westcon2 2014-07-03T01:26:57Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4358#M3224 <HTML><HEAD></HEAD><BODY><P>Hi Westcon,</P><P></P><P>For Custom Role and Standard Role, configuration is same. So I think that is not the problem.</P><P></P><P>Do you have runtime.in/iseadmin or iseadmin in Administrator filed? I think this is the issue.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 03 Jul 2014 01:26:58 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4358#M3224 hshah 2014-07-03T01:26:58Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4359#M3225 <HTML><HEAD></HEAD><BODY><P>Instead iseadmin can you try "<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">runtime.in/iseadmin</SPAN> " ?</P></BODY></HTML> Thu, 03 Jul 2014 01:27:43 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4359#M3225 hshah 2014-07-03T01:27:43Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4360#M3226 <HTML><HEAD></HEAD><BODY><P>iseadmin is a user in ldap. However I want to give this user access to the firewall for monitoring only. </P></BODY></HTML> Thu, 03 Jul 2014 01:30:03 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4360#M3226 Westcon2 2014-07-03T01:30:03Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4361#M3227 <HTML><HEAD></HEAD><BODY><P>Hello Westcon,</P><P></P><P>For non local admins LDAP is not supported and only Radius is supported for remote login users. I tested this in lab and found similar results:</P><P><IMG __jive_id="14271" alt="Capture.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14271_Capture.PNG" style="height: 146px; width: 620px;" /></P><P>You can also see that in the window (Device &gt; Setup &gt; Authentication settings) while mentioning the authentication profile there is a statement that "Only Radius is supported"</P><P></P><P>Thanks</P><P>Chetan</P></BODY></HTML> Thu, 03 Jul 2014 01:41:31 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4361#M3227 bat 2014-07-03T01:41:31Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4362#M3228 <HTML><HEAD></HEAD><BODY><P>Harsha, </P><P></P><P>It did the trick having the username in the administrator profile. But the problem is if I have 3 users then I have to create 3 administrator profile each with the username.</P><P>I can't create a common template name</P><P></P><P></P><P>2014-07-03 05:50:42.747 +0400 Running cmd: insert into admusers values (?, ?)</P><P>2014-07-03 05:50:42.747 +0400 Error:&nbsp; pan_authd_update_admin_user_in_db(pan_localdb_utils.c:186): Failed to add user:iseuser1 (uid:508) to /opt/pancfg/mgmt/global/db/admusers.db</P><P>2014-07-03 05:50:42.747 +0400 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: runtime.in\iseuser1 authresult auth'ed</P><P>2014-07-03 05:50:42.748 +0400 Request received to unlock shared/Ldap_admin/runtime.in\iseuser1</P><P>2014-07-03 05:50:42.748 +0400 User 'runtime.in\iseuser1' authenticated.&nbsp;&nbsp; From: 80.227.87.218.</P><P>2014-07-03 05:50:42.748 +0400 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False</P><P>2014-07-03 05:50:42.749 +0400 debug: pan_authd_service_req(pan_authd.c:3322): Authd:get group request</P><P>2014-07-03 05:50:42.750 +0400 debug: pan_authd_handle_group_req(pan_authd.c:3210): Got user role/adomain / for user iseuser1</P><P></P><P></P><P>Regards</P><P>Aamir Khan</P></BODY></HTML> Thu, 03 Jul 2014 01:46:54 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4362#M3228 Westcon2 2014-07-03T01:46:54Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4363#M3229 <HTML><HEAD></HEAD><BODY><P>Hi Aamir,</P><P></P><P>You can use the same authentication profile for all the users. Can you explain in more detail why you cannot create a common template name ?</P><P></P><P>-Chetan</P></BODY></HTML> Thu, 03 Jul 2014 02:30:17 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4363#M3229 bat 2014-07-03T02:30:17Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4364#M3230 <HTML><HEAD></HEAD><BODY><P>Hi Chetan,</P><P></P><P>Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated. </P><UL><LI>If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.</LI></UL><P><IMG alt="radius.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14272_radius.PNG" style="height: auto;" /></P><P></P><P>Regards</P><P>Aamir Khan</P></BODY></HTML> Thu, 03 Jul 2014 05:37:58 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4364#M3230 Westcon2 2014-07-03T05:37:58Z https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4365#M3231 <HTML><HEAD></HEAD><BODY><P>If you have a windows server in the environment, you can add the RADIUS role and use this with the PA custom dictionary.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1232">How to Configure Radius on Windows 2008</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1701">Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)</A></P></BODY></HTML> Fri, 04 Jul 2014 11:01:07 GMT https://live.paloaltonetworks.com/t5/general-topics/administrator-authentication-with-ldap/m-p/4365#M3231 pulukas 2014-07-04T11:01:07Z