topic Re: Unable to logon to the firewalls using the AD account in General Topics

Unable to logon to the firewalls using the AD account

FarzanaMustafa — Wed, 27 Feb 2019 23:12:41 GMT

Hello,

I have setup LDAP authentication for login purposes, the server profile has been created along with the authentication profile, user group mapping (which searches for an AD group) and the administrator which uses the authentication profile.

However I am unable to logon to the firewalls using the AD account, when I check the system logs for the firewall I get the following message "Authentication profile not found for the user".

I did an authentication test using the command "test authentication authentication-profile <profile> username <username> password" and it came back that the user was authenticated successfully, I can also see that the firewalls are correctly collecting the members of the AD group.

I managed to get the LDAP authentication working, but not in the way I was hoping it would work. I can authenticate a user by making an administrator account for each individual AD user that I want to be able to login.

I was hoping there was a way to have it setup where an AD group can be used and members of that group can login to panorama without having to create individual administrator accounts for each. Not sure if that’s possible or not with Pan-OS.

Thanks in advance!

Re: Unable to logon to the firewalls using the AD account

BPry — Thu, 28 Feb 2019 00:40:50 GMT

@FarzanaMustafa ,

That's actually how it's suppose to work. The PAN-OS won't create the administrator account by itself, the authentication profile is simply used the authenticate administrator accounts that have already been created.

Re: Unable to logon to the firewalls using the AD account

FarzanaMustafa — Thu, 28 Feb 2019 00:45:19 GMT

@BPry

Thanks for the response.

So what do I need to do in the FW so that I don't get the message "Authentication profile not found for the user"?

Re: Unable to logon to the firewalls using the AD account

BPry — Thu, 28 Feb 2019 00:48:43 GMT

@FarzanaMustafa ,

Create an administrator account for the user you are wishing to add to the firewall, when creating the entry ensure that the authentication profile for the account has your LDAP profile specified. If that's done you shouldn't get any errors in the log files.

Re: Unable to logon to the firewalls using the AD account

gwesson — Thu, 28 Feb 2019 00:50:54 GMT

You can have an auth system where you don't need to continue adding admins to the firewall directly, but you have to use RADIUS for it.

The mechanism uses Vendor Specific Attributes (VSAs) that the firewall sees and assigns a role. Here's an article that shows the details for Panorama for Windows 2003, 2008, and Cisco ACS 4.0:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK

Another for just firewalls, and specific to Windows 2008:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0