https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279946#M75793 <P>Hello Community,</P><P>&nbsp;</P><P>so i've got a small "issue"/question regarding PAN Firewalls and LDAP User-Authentication handling.</P><P>I configured it like it is documented <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK" target="_self">here</A></P><P>My issue now is that when i add an Administrator, then delete the user from the Active-Directory group, the user is still able to log on even after the firewall refreshes the connection.</P><P>Am i doing something wrong here, or do i manually have to delete the user, from the firewall so he cant connect to it anymore?</P><P>&nbsp;</P><P>Best regards.</P> Tue, 30 Jul 2019 08:32:28 GMT christoph_oppelt 2019-07-30T08:32:28Z https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279946#M75793 <P>Hello Community,</P><P>&nbsp;</P><P>so i've got a small "issue"/question regarding PAN Firewalls and LDAP User-Authentication handling.</P><P>I configured it like it is documented <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK" target="_self">here</A></P><P>My issue now is that when i add an Administrator, then delete the user from the Active-Directory group, the user is still able to log on even after the firewall refreshes the connection.</P><P>Am i doing something wrong here, or do i manually have to delete the user, from the firewall so he cant connect to it anymore?</P><P>&nbsp;</P><P>Best regards.</P> Tue, 30 Jul 2019 08:32:28 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279946#M75793 christoph_oppelt 2019-07-30T08:32:28Z https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279967#M75799 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105853">@christoph_oppelt</a>,</P><P>For the user to actually be removed from the firewall, yes you would need to delete the account manually. However as long as the admin session had expired, I wouldn't expect that the user would actually be allowed to login unless your LDAP server was still giving the firewall the 0 response code. If the user account no longer exists you should be getting a 49 response and the firewall wouldn't auth the user.&nbsp;</P><P>&nbsp;</P><P>* I just saw that you said group. Have you tried ensuring that the group membership has actually updated on the firewall through the cli command 'show user group name &lt;group&gt;'. Otherwise the firewall will simply verify that the LDAP credentials are correct.&nbsp;</P> Tue, 30 Jul 2019 10:40:35 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279967#M75799 BPry 2019-07-30T10:40:35Z https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279968#M75800 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105853">@christoph_oppelt</a>,</P><P>&nbsp;</P><P>Current versions doesn't support remote authorization for administrators using LDAP.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html#" target="_self">Administrative Authentication</A></P><P>&nbsp;</P><PRE><STRONG>The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. </STRONG><BR /><STRONG>The server performs both authentication and authorization.</STRONG></PRE><P>For that reason as you have seen from the KB in order to authenticate admin via LDAP you need to localy (on the FW) create the username and set it to authenticate using the LDAP.&nbsp;</P><P>&nbsp;</P><P>Behind the scenes the firewall is try to made a bind request using the username and password provided during your login attempt. FW doesn't really care in what user group this user is configured in the AD. As long as you have provide valid username and password, the bind request will successed and you will be allowed to login.</P><P>&nbsp;</P><P>You actually have a "workaround" to tell the FW to try to authenticate only specific users.</P><P>&nbsp;</P><P>When you are configuring the authentication profile, you can specify "allow list". This list will tell what users are allowed to authenticate using this profile. That way you can tell the FW you allow only users member of FW_admins user-group in the AD. This will mean that when you try to login there will be additional step:</P><P>- you type your username and password</P><P>- FW will check if the username you have provide is member of the that allow list</P><P>- If it is in this list, FW will again try to make bind request with provided username and password</P><P>&nbsp;</P><P>&nbsp;</P><P>So what you can do is on the step 2c from the guide instead of all you can list the user group or specific users</P> Tue, 30 Jul 2019 10:39:24 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279968#M75800 aleksandar.astardzhiev 2019-07-30T10:39:24Z https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279979#M75802 <P>Alright, thanks to both of you.</P><P>Guess i'll have to just live with it.</P> Tue, 30 Jul 2019 11:36:35 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-firewall-ldap-authentication-user-handling/m-p/279979#M75802 christoph_oppelt 2019-07-30T11:36:35Z