https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298841#M78272 <P>Thanks. And to clarify if a user isn't defined as an Administrator or as a Captive Portal or GlobalProtect user either explicitly or as a group member, then authentication will fail with something like an "Authentication profile not found for the user" message in the system log? Simply selecting 'all' in the allow list does not grant everyone the ability to login to the firewall, correct?</P> Fri, 15 Nov 2019 16:25:50 GMT MikeSangray2019 2019-11-15T16:25:50Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298624#M78232 <P>When configuring an LDAP Authentication Profile what does the 'all' refer to in the allow list?&nbsp;</P> Thu, 14 Nov 2019 18:30:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298624#M78232 MikeSangray2019 2019-11-14T18:30:41Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298667#M78236 <P>All is a reference to any user.</P><P>if you only wanted members of a certain group or individual users &nbsp;to use this authentication profile then you would add them here.</P> Thu, 14 Nov 2019 19:48:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298667#M78236 Mick_Ball 2019-11-14T19:48:02Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298841#M78272 <P>Thanks. And to clarify if a user isn't defined as an Administrator or as a Captive Portal or GlobalProtect user either explicitly or as a group member, then authentication will fail with something like an "Authentication profile not found for the user" message in the system log? Simply selecting 'all' in the allow list does not grant everyone the ability to login to the firewall, correct?</P> Fri, 15 Nov 2019 16:25:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298841#M78272 MikeSangray2019 2019-11-15T16:25:50Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298857#M78274 <P>Yes&nbsp; I think so...</P><P>&nbsp;</P><P>I only say "think so" as i have never used any other option than "ALL". so i dont know what the system log would say...&nbsp; but i'm sure you have already seen this...</P><P>&nbsp;</P><P>To allow all only means that all users can attempt to authenticate against this profile...&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 15 Nov 2019 16:39:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298857#M78274 Mick_Ball 2019-11-15T16:39:51Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298860#M78275 <P>ok just tested the auth with a test profile without me in the allow list.</P><P>&nbsp;</P><P>system log&nbsp; &nbsp;...</P><P>&nbsp;</P><P>failed authentication for user "Me" Reason: user is not in allow list. auth profile Radius Test.</P><P>&nbsp;</P><P>Boom!&nbsp;</P><P>&nbsp;</P> Fri, 15 Nov 2019 16:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298860#M78275 Mick_Ball 2019-11-15T16:55:27Z https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298884#M78283 <P>I did a similar test and got a similar result.&nbsp;</P><P>&nbsp;</P><P>AFAIK setting the allow list to 'all' and relying on authentication profiles is the cleanest way to go about provisioning permissions, but if I'm mistaken please let me know.</P> Fri, 15 Nov 2019 19:36:31 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-authentication-profile-allow-list-all/m-p/298884#M78283 MikeSangray2019 2019-11-15T19:36:31Z