https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282554#M76105 <P>Palo Alto uses a more secure mentality for the Admin users on the firewalls. Calling out the users specificly is a lot more secure they refrenceing an AD group. Anyone with the right AD privlages could modify the AD group and give themselves superuser access to the firewalls.&nbsp;</P><P>&nbsp;</P> Tue, 13 Aug 2019 19:25:38 GMT Mark_Brook 2019-08-13T19:25:38Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282534#M76103 <P>Hi All,</P><P>&nbsp;</P><P>Why do we need step 3 mentioned in the KB below for the WB UI authentication with LDAP?:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK</A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LDAP.PNG" style="width: 748px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20995i0E7FF0945AC98ACB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="LDAP.PNG" alt="LDAP.PNG" /></span></P><P>&nbsp;</P><P>Why do we need to create a local user? Won't Palo be an LDAP proxy (grabbing username/password and verifying it against LDAP server database)?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 13 Aug 2019 19:22:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282534#M76103 myky 2019-08-13T19:22:05Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282554#M76105 <P>Palo Alto uses a more secure mentality for the Admin users on the firewalls. Calling out the users specificly is a lot more secure they refrenceing an AD group. Anyone with the right AD privlages could modify the AD group and give themselves superuser access to the firewalls.&nbsp;</P><P>&nbsp;</P> Tue, 13 Aug 2019 19:25:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282554#M76105 Mark_Brook 2019-08-13T19:25:38Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282555#M76106 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/102857">@Mark_Brook</a>&nbsp; thanks, it makes sense. So what is PA actually verifying, just AD membership group and not username/password?</P> Tue, 13 Aug 2019 19:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282555#M76106 myky 2019-08-13T19:37:55Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282556#M76107 <P>Its verifying Username(both places), Password, and if you configured a group in your Ldap profile it will do that as well.&nbsp;</P> Tue, 13 Aug 2019 19:37:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282556#M76107 Mark_Brook 2019-08-13T19:37:40Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282557#M76108 <P>Cool, so the local user is another (additional) check as you mentioned earlier. Thanks.&nbsp;</P> Tue, 13 Aug 2019 19:41:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282557#M76108 myky 2019-08-13T19:41:09Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282716#M76132 <P>Palo Alto only has this requirment for LDAP Authentication only when managing the device.&nbsp; You can use a RADIUS server with RADIUS authentication profile to allow management by AD group, and that works fine, so if you have Microsoft IAS, or other RADIUS server, that will work for allowing a group to authenticate to the firewall and/or panorama.</P> Wed, 14 Aug 2019 13:54:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282716#M76132 BrandonWright 2019-08-14T13:54:40Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282717#M76133 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36251">@BrandonWright</a>&nbsp; this now clear as day (but not a typical day in UK <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 14 Aug 2019 13:59:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/282717#M76133 myky 2019-08-14T13:59:16Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/1227379#M124100 <P>Do you have a reference for this.&nbsp; Why would palo do this only for LDAP?&nbsp; &nbsp;Extremely annoying moving from tacacs to ldap.&nbsp;</P> Thu, 24 Apr 2025 19:33:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/1227379#M124100 AustinClark 2025-04-24T19:33:38Z https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/1228486#M124224 <P>Because LDAP server doesn't send back admin role so you can't do authorization with LDAP server.</P> Thu, 08 May 2025 12:48:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-auth-for-the-web-ui-access-clarification/m-p/1228486#M124224 santonic 2025-05-08T12:48:46Z