https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46798#M34402 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Sorry, been out an about</P><P>I suggest you contact support - it does not sound right.&nbsp; I think we'll definitely need pictures here <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>I am sure we could get this solved</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 20 Jan 2011 23:40:40 GMT James 2011-01-20T23:40:40Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46793#M34397 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>I believe I've successfully set up LDAP authentication in our Palo device. All of our groups and users are appearing when searched for using "show user ldap-server server all" and they show up in Authentication Profiles when changing the Allow List.</P><P></P><P>I have added my user account from our AD domain into the LDAP Authentication Profile as detailed in the "eDirectory and LDAP Authentication with PANOS" document, but I'm not sure how to progress in getting this to be used for authorisation when logging into the firewall itself.</P><P></P><P>If I go into create a new administrator account, the authentication profile drop-down only lists "None" - I had imagined this would let me specify a user based on LDAP but it seems not.</P><P></P><P>Am I barking up the wrong tree, or should I be able to authenticate to the admin GUI using LDAP users? If so is there a step I'm missing in enabling this?</P><P></P><P>Regards</P><P>John Bousfield</P></BODY></HTML> Tue, 18 Jan 2011 15:48:35 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46793#M34397 aveva_palo 2011-01-18T15:48:35Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46794#M34398 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>For this to work - you should have your LDAP server as a choice in the drop down.</P><P>The "Name" section would be your username in the LDAP server.&nbsp; You would need to make an entry like this for each administrator.&nbsp; This is OK for a small number of Admins.</P><P>If you expect to have many - then please check out this document using RADIUS and VSA's:</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1701">https://live.paloaltonetworks.com/docs/DOC-1701</A></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Tue, 18 Jan 2011 17:04:31 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46794#M34398 James 2011-01-18T17:04:31Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46795#M34399 <HTML><HEAD></HEAD><BODY><P>Hi James</P><P>Thanks for your reply. That's how I imagined it should work and doing it for each user manually is fine for now.</P><P></P><P>However, when I go in to add the new administrator account I'm unable to select anything other than "None" - there is no option for my other Authorisation profiles (including a RADIUS profile already set up).</P><P></P><P>The help system indicates the same thing you have which is that I should have the list of Auth Profiles there.</P><P></P><P>Could there be some setting I've missed to enable new users to use all Auth Profiles?</P><P></P><P>Regards</P><P>John</P></BODY></HTML> Wed, 19 Jan 2011 10:18:39 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46795#M34399 aveva_palo 2011-01-19T10:18:39Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46796#M34400 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Is it definitely Auth and not server profiles that you have configured?</P><P><IMG alt="Screen shot 2011-01-19 at 11.50.39.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/2137_Screen shot 2011-01-19 at 11.50.39.png" /></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Wed, 19 Jan 2011 11:54:13 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46796#M34400 James 2011-01-19T11:54:13Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46797#M34401 <HTML><HEAD></HEAD><BODY><P>Hi James</P><P>I've got both Server Profile and Authentication Profiles configured. Tried to attach an image of these but it doesn't seem to let me...</P><P></P><P>Server Profile has the LDAP servers listed and I can do looks ups to AD so those seem fine. User Idenfitication is also in place and seems to be working fine getting groups and users when I check via the command line.</P><P></P><P>The Authentication Profiles include the one for LDAP, one for LocalDB and one for RADIUS at the moment. The LDAP Auth profile uses the LDAP Server Profile above, includes my AD account and an AD group in the Allow List and has sAMAccountName as the login attribute.</P><P></P><P>None of the Auth Profiles appear in the drop-down though.</P><P></P><P>Appreciate any help.</P><P></P><P>Regards</P><P>John</P></BODY></HTML> Wed, 19 Jan 2011 12:25:12 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46797#M34401 aveva_palo 2011-01-19T12:25:12Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46798#M34402 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Sorry, been out an about</P><P>I suggest you contact support - it does not sound right.&nbsp; I think we'll definitely need pictures here <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>I am sure we could get this solved</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Thu, 20 Jan 2011 23:40:40 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46798#M34402 James 2011-01-20T23:40:40Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46799#M34403 <HTML><HEAD></HEAD><BODY><P>Hi James</P><P>I'll raise a support issue with our support contact directly but I have also attached the images of each config page to the post so you can have a quick browse of the settings I've got in place.</P><P></P><P>Thanks for your help.</P><P></P><P>Regards</P><P>John</P></BODY></HTML> Fri, 21 Jan 2011 10:39:57 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46799#M34403 aveva_palo 2011-01-21T10:39:57Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46800#M34404 <HTML><HEAD></HEAD><BODY><P>For reference the problem was that my LDAP Server Profile and LDAP Authorisation Profiles were set to use VSYS but needed to be set to as Shared - you can't use Vsys profiles to authorise administrative users, which makes sense.</P><P></P><P>This can't be altered once a profile is made so I removed both profiles and recreated as shared (tick box near the top of the form).</P><P></P><P>I can now use LDAP to authorise users.</P><P></P><P>John</P></BODY></HTML> Wed, 26 Jan 2011 10:03:12 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46800#M34404 aveva_palo 2011-01-26T10:03:12Z https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46801#M34405 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Good news!!</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Wed, 26 Jan 2011 14:53:22 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ldap-ad-names-for-firewall-gui-login/m-p/46801#M34405 James 2011-01-26T14:53:22Z