topic Re: LDAP Authentication 4.1.x Panorama and FW in General Topics

LDAP Authentication 4.1.x Panorama and FW

tstokkeland — Tue, 19 Jun 2012 13:57:13 GMT

There is a ton of various old and somewhat newer info on LDAP related info around, but I have not been able to find any good source on step by step and how to troubleshoot - a lot of the junk seems to reference user-id stuff, which I believe is not relevant, shouldnt I be able to configure an LDAP server profile, a authentication profile, and then use this for authentication (wether admin access or ssl vpn?).

I have been unable to find any logs or info on how to test if my LDAP server profile is even working.

I had kerberos authentication working just fine, but the bugs with Kerberos and groups makes it unusable, so I have to get LDAP configured, but so far I have not been able to.

for my testing I am doing this in panorama, for the local admin logons to Panorama (because it is so much faster to commit with than a firewall):

here is what I did - which I believe should work:

created a user in the domain named pan-admin (for sake of troubleshooting I gave it domain admin rights)

Created LDAP Server Profile

Name: adtest

Servers: Added two DC's by IP, port 389

Domain: mydom.local

Type: Active-Directory

Base: DC=mydom,DC=local (this pulled up by dropdown)

Bind DN: DN=pan-admin,OU=Service Accounts,DC=mydom,DC=local

Password: **

I unchecked SSL

the rest is default.

Created an Authentication Profile

Name: adAuthAdmin

Allow List: removed all, and added a single user like mydom\username and a group mydom\groupname by typing them in (I would think that just group should work, but for testing purposes I also added my speciifc user)

Authentication: LDAP

Server Profile: adtest

Under Administrators I added 2 users, one for the group (mydom\groupname) and also my individual user for testing, usint the "adAuthAdmin" profile and superuser...

shouldnt that work?

I cant even find out how to test if the LDAP Server profile is even working - logs show nothing at all - when trying a login the system log just shows

User 'mydom\username' failed authentication. Reason: Authentication profile not found for the user From: 10.159.14.11.' )

I tried a lot of different things but I have no luck really - the DC's are 2003's - I have 2008R2's as well but figured there be less prone to issues using the old ones...

btw - user-identification working fine with the agents and all that - I dont see how that is even relevant other than that it uses it for dropdowns on the firewalls (not in panorama since it doesnt have user-id.

any help appreciate - I might open a ticket soon,...

Re: LDAP Authentication 4.1.x Panorama and FW

tstokkeland — Tue, 19 Jun 2012 14:47:07 GMT

more searching and digging and I found this post

which lead me to the device/panorama setting, where a profile has to be chosen for the box.

so this works as long as I add each individual user to the administrators list.

Shouldnt this work by just adding a group?

and I still have no good way of debugging this crap

Re: LDAP Authentication 4.1.x Panorama and FW

sspringer — Tue, 19 Jun 2012 18:47:48 GMT

Hi,

Authentication profiles can be used with the following features:

- Captive Portal

- Global Protect

- Administrator login

Captive Portal and Global Protect will work by specifying the group in the allow list. Administrator login functions differently as it is required to add each individual user(unless VSA is setup https://live.paloaltonetworks.com/docs/DOC-1701).

A couple notes on your configuration.

1) In the LDAP Server Profile you have the FQDN defined. If left to the FQDN then there can be issues with the user mapping correctly to a group as there will be two separate references to the user

mydom.local\user1

mydom\user1

To prevent this problem instead of - Domain: mydom.local

Enter - Domain: mydom

2) In the Authentication Profile you would set the login attribute to sAMAccountName if using AD/LDAP.

For troubleshooting, you want to review system logs and authd.log. Other common issues can be solved by review the output of various 'show user' commands such as:

> show user group name <group name>

> show user user-IDs match-user <username>

> show user group-mapping state all

Hope this helps!

- Stefan

Re: LDAP Authentication 4.1.x Panorama and FW

tstokkeland — Tue, 19 Jun 2012 19:38:28 GMT

Thank you - i have been fiddling with this all day - and discovered its not working right when doing the LDAP stuff from panorama, or at least, it works better from the firewall itself, the FQDN versus Wintendo-netbios network name was one of the issues, I had portal working but not the gateway, removal of fqdn fixed that.