topic Re: Cli command to test Authentication Profile requiring exact match in General Topics

Cli command to test Authentication Profile requiring exact match

OneAmongMany — Tue, 15 May 2018 07:57:26 GMT

Hey All

While working a support case for a customer, I've come accross an odd situation and before I go log to Palo TAC I wondered if anyone else had seen this/was aware of it:

So Authentication profile configured with an allow list restricted for one LDAP group. I can use that Auth Policy in say GlobalProtect and sure enough- only users who are members of that group can connect to the portal.

> show user user-ids all

-shows the list of users pulled in by User/Group mapping (so the firewall knows a user is in that group), but when I run;

> test authentication authentication-profile X username Y ...etc.etc.

- this always fails ("User Y is not allowed with Authentication Profile X"), unless I include the specific username in the allow list in the Auth Profile, or I allow 'All'. With and without appending domain info - same result.

Looking at the documentation available - all examples of testing an Auth Profile using LDAP, matches the group 'All'
(e.g https://www.paloaltonetworks.com/documentation/80/pan-os/cli-gsg/use-the-cli/test-the-configuration/test-the-authentication-configuration😞

"Do allow list check before sending out authentication request...
name "bzobrist" is in group "all" ..."

(its never a restricted LDAP group)

I did see here :

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-authentication-profile/configure-an-authentication-profile

-that "Because you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow Listentry."

I am seeing this behaviour with LDAP, both in the customer's environment and I have replicated it simply enough in our lab.

Anyone restricted an Auth Profile to an LDAP group and then been able to run the '>test authentication...' cli command and have it work?

Many Thanks

Alex

Re: Cli command to test Authentication Profile requiring exact match

LukeBullimore — Tue, 15 May 2018 08:47:48 GMT

Do you get the same behavior if you add both the long and short group name to the allow list?

Considering the default group mapping refresh interval (default 60 minutes) you ,may need to initiate a manual group mapping refresh via:

debug user-id refresh group-mapping all

Re: Cli command to test Authentication Profile requiring exact match

OneAmongMany — Tue, 15 May 2018 09:55:08 GMT

Hi Luke

The Group-mapping is in place; that user (*domain\username) appears (when I run > show user user-ids) as a member of the correct group (the one named in the Auth profile), so its not that its not up to date.

I can run the command with > test authentication authentication-profile username *domain\username or just *username - and unless that specific username is listed in the Auth profile Allow lIst the auth test fails. The fact they are a member of that group (as prove by '> show user user-ids' output proves) doesn't seem to be taken inot account.

To answer your question- yes; either long name or short name (*domain\username or *username) in the Allow List works the same (my Auth Profile is set ot append it automatically) .

Thanks

Alex

Re: Cli command to test Authentication Profile requiring exact match

JBal — Tue, 15 May 2018 11:02:07 GMT

According to this post it is/was a bug, the 'test authentication authentication-profile' command does not work properly.
Unfortunately there is no bug ID mentioned and I do not know if it is already fixed or not.

Re: Cli command to test Authentication Profile requiring exact match

OneAmongMany — Mon, 28 May 2018 10:01:14 GMT

Thanks Bud!

Glad its not just me.!

****Edited****

OK, so there is a confirmed bug with the test command:

> test authentication authentiocation-profile...

resulting in the following error:

"Allow list check error:
Target vsys is not specified, user "silentbob" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Administrator is not allowed with authentication profile LDAP"

(membership of LDAP groups is ignored in the authentication profile allow list).

Its registered under PAN-80160 - but this is not publicly documented (not in Limitations or known issues of 8.0).

Hopefully search engines will bring people here.... 🙂

The bug is resolved in 8.1