https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5781#M4224 <HTML><HEAD></HEAD><BODY><P>I can browse the AD directory from the PaloAlto, also in CLI the FW is showing the users in the group i've selected.</P><P>However, when trying to authenticate users it seems like the FW can't reach the LDAP server.&nbsp; I have 1 rule and it allows all!!</P><P>I can also ping from all the network interfaces on the firewall!</P></BODY></HTML> Fri, 23 Dec 2011 09:00:26 GMT johnd 2011-12-23T09:00:26Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5775#M4218 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I've read all the guides and on the forums and still can't figure out why my configuration won't work.</P><P>I want users to enter AD username/password to get access to the internet.</P><P></P><P>The following has been configured:</P><P></P><P>Device &gt; User Identification &gt; Group Mapping Settings:</P><P>1. Added server profile</P><P>2. Rest is default</P><P>3. Group Include List, entered AD and located my security group i want. (So LDAP connection is working).</P><P>Also, when running "Show user user-ID's", both the users in the group are listed, so they are being read.</P><P></P><P>Device &gt; User Identification &gt; Captive Portal Settings:</P><P>1. Enabled captive portal</P><P>2. Authentication Profile is correct.</P><P>3. Mode redirect (Clients can see the webportal, so this is working)</P><P></P><P>Network &gt; Zones &gt; Trust:</P><P>1. Enabled User Identification.</P><P></P><P>Device &gt; LDAP:</P><P>This is obviously working or else i wouldnt have a connection (?).</P><P></P><P>Device &gt; Authentication Profile:</P><P>1. Allow list is set to all.</P><P>2. Authentication set to LDAP.</P><P>3. Login attribute set to sAMAccountName</P><P></P><P>When testing this on a client i get the following:</P><P>Captive Portal authentication failed for user: X on 192.168.X.X, vsys1</P><P>User 'X' failed authentication. Reason: Invalid username/password from: 192.168.X.X.</P><P></P><P>Any clues?&nbsp; I'm not using user-identification agent, this shouldnt be needed as i have LDAP and when using local users the authentication worked fine!</P></BODY></HTML> Wed, 21 Dec 2011 14:00:02 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5775#M4218 johnd 2011-12-21T14:00:02Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5776#M4219 <HTML><HEAD></HEAD><BODY><P>Did you try entering username &amp; password, or domain\username &amp; password?</P></BODY></HTML> Wed, 21 Dec 2011 14:45:48 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5776#M4219 rmonvon 2011-12-21T14:45:48Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5777#M4220 <HTML><HEAD></HEAD><BODY><P>I tried both in all variations. Also reset my domain password to be sure.</P><P>As i said it worked just fine with local user accounts.&nbsp; And AD seems to be working just fine, so I'm not sure what the problem is.</P><P>Does anyone know which debugging option i should enable to see whats wrong.&nbsp; Guess i could do some packet capture as well.</P></BODY></HTML> Wed, 21 Dec 2011 15:17:20 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5777#M4220 johnd 2011-12-21T15:17:20Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5778#M4221 <HTML><HEAD></HEAD><BODY><P>You can test the LDAP config by setting it to authenticate the admins.&nbsp; Then use your LDAP username/password to login as an admin for the PA device.</P></BODY></HTML> Wed, 21 Dec 2011 15:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5778#M4221 rmonvon 2011-12-21T15:49:03Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5779#M4222 <HTML><HEAD></HEAD><BODY><P>Well, that didnt work either.</P><P></P><P>tail mp-log authd.log</P><P></P><P>Dec 22 12:41:31 pan_authd_common_authenticate(pan_authd.c:1520): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:domain :users_1,username XX_USER_XX failed - trying other hosts<BR />Dec 22 12:41:31 pan_authd_common_authenticate(pan_authd.c:1495): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:domain :users_2<BR />Dec 22 12:41:31 pan_authd_common_authenticate(pan_authd.c:1495): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:domain :users_3<BR />Dec 22 12:41:31 authentication failed for user &lt;vsys1,Domain Users,XX_USER_XX&gt;<BR />Dec 22 12:41:31 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: XX_USER_XX authresult not auth'ed<BR />Dec 22 12:41:31 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.<BR />Dec 22 12:41:31 User 'XX_USER_XX' failed authentication.&nbsp; Reason: Invalid username/password From: 192.168.0.15.<BR />Dec 22 12:41:31 pan_get_system_cmd_output(pan_cfg_utils.c:3019): executing: /usr/local/bin/sdb -n -r cfg.operational-mode<BR />Dec 22 12:41:31 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False<BR />Dec 22 12:41:31 pan_get_system_cmd_output(pan_cfg_utils.c:3019): executing: /usr/local/bin/sdb -n -r cfg.operational-mode</P></BODY></HTML> Thu, 22 Dec 2011 09:09:16 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5779#M4222 johnd 2011-12-22T09:09:16Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5780#M4223 <HTML><HEAD></HEAD><BODY><P>A couple of things to check.</P><P></P><P>Check the log of your LDAP server and is it reporting incorrect&nbsp; credential as well?&nbsp; If so, have you try a different account, username/password?</P><P></P><P>Are you seeing LDAP groups if you issue CLI command: show user ldap-server server &lt;name&gt;</P><P></P><P>If there's no groups listed in the output, then the LDAP config is incorrect.</P><P></P><P>You may also want to contact Support and have your configruation reviewed over a web meeting.&nbsp; Thansks.</P></BODY></HTML> Thu, 22 Dec 2011 14:47:25 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5780#M4223 rmonvon 2011-12-22T14:47:25Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5781#M4224 <HTML><HEAD></HEAD><BODY><P>I can browse the AD directory from the PaloAlto, also in CLI the FW is showing the users in the group i've selected.</P><P>However, when trying to authenticate users it seems like the FW can't reach the LDAP server.&nbsp; I have 1 rule and it allows all!!</P><P>I can also ping from all the network interfaces on the firewall!</P></BODY></HTML> Fri, 23 Dec 2011 09:00:26 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5781#M4224 johnd 2011-12-23T09:00:26Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5782#M4225 <HTML><HEAD></HEAD><BODY><P>As the next step, I would suggest contacting Support and have it diagnose.&nbsp; Thanks.</P></BODY></HTML> Sun, 25 Dec 2011 19:14:36 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5782#M4225 rmonvon 2011-12-25T19:14:36Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5783#M4226 <HTML><HEAD></HEAD><BODY><P>This was solved by removing all the LDAP config and Captive Portal config and adding it all again.</P><P>Seemed to be some bug with the config.</P></BODY></HTML> Thu, 12 Jan 2012 13:28:44 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5783#M4226 johnd 2012-01-12T13:28:44Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5784#M4227 <HTML><HEAD></HEAD><BODY><P>Glad to hear that it worked.&nbsp;&nbsp; Cheers.</P></BODY></HTML> Thu, 12 Jan 2012 21:08:38 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-with-ldap/m-p/5784#M4227 rmonvon 2012-01-12T21:08:38Z