https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/310875#M80493 <P>Actually, you are wrong.</P><P>&nbsp;</P><P>I recommend you to check this:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK</A></P><P>&nbsp;</P><P>Thanks anyway.</P> Wed, 12 Feb 2020 18:26:32 GMT JuanAn 2020-02-12T18:26:32Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308276#M79998 <P>Hello.</P><P>&nbsp;</P><P>I have a Captive Portal that uses next Authentication Profile:</P><UL><LI>CP_Auth</LI></UL><P>Where:</P><P><EM>Authentication Sequence:</EM></P><UL><LI>CP_Auth - Auth_Mode_1,&nbsp;Auth_Mode_2</LI></UL><P><EM>Authentication Profile:</EM></P><UL><LI>Auth_Mode_1 - LDAP_1</LI><LI>Auth_Mode_2 - LDAP_2</LI></UL><P><EM>LDAP Server Profile:</EM></P><UL><LI>LDAP_1: 10.10.1.101, 10.10.1.102</LI><LI>LDAP_2:&nbsp;10.10.2.103, 10.10.2.104</LI></UL><P>&nbsp;</P><P>Base on our monitor logs, we noticed that all our authentications are using LDAP Server 10.10.1.101.</P><P>&nbsp;</P><P>A few days ago we detected that server 10.10.1.101 had an issue and we decided to power off the machine.</P><P>&nbsp;</P><P>After that, we were still seeing PA trying to reach this server and not trying to use the second LDAP server (10.10.1.102).</P><OL><LI>Why was this happending? Shouldn't the firewall have to change to 10.10.1.102 as soon it detects timeout connections?</LI><LI>Is there any way to configure redundancy in case of issue?</LI></OL><P>&nbsp;</P><P>Kr.</P> Tue, 28 Jan 2020 16:13:10 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308276#M79998 JuanAn 2020-01-28T16:13:10Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308290#M80000 <P>Create 4 separate LDAP Server Profiles.</P><P>Assign them to 4 separate Authentication Profiles.</P><P>List all 4 in the Authentication Sequence.</P><P>&nbsp;</P><P>The LDAP Server Profiles don't fail-through to the next one.&nbsp; It tries the first one, and only if it gets a specific response from it will it try the second one.</P><P>&nbsp;</P><P>The Authentication Sequence is where you list all the servers you want it to try, and the order to try them in.&nbsp; The first one to respond with "allowed" ends the sequence.&nbsp; If none of them return an "allowed" response, then the authentication fails.</P> Tue, 28 Jan 2020 17:14:04 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308290#M80000 fjwcash 2020-01-28T17:14:04Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308533#M80036 <P>Many thanks for your response.</P><P>&nbsp;</P><P>I don't understand... base on this <A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles-ldap" target="_self">document</A></P><P>&nbsp;</P><P>"<SPAN>Configure at least two LDAP servers to provide redundancy"</SPAN></P><P>&nbsp;</P><P>What kind of redundancy are they referring in the previous document?</P><P>What is the condition that triggers the event of using the secondary LDAP?</P><P>Is timeout event not enough to triggers that?</P><P>&nbsp;</P><P>Kr.</P> Wed, 29 Jan 2020 16:22:26 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308533#M80036 JuanAn 2020-01-29T16:22:26Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308535#M80038 <P>The way it was explained to us in the 8.1 training course was along the lines of "the first server in the list to respond after boot is the only one it will use" or something along those lines.&nbsp; The instructor actually questioned why they allow multiple servers to be listed in a single Server Profile when it doesn't actually work the way you expect, but was never able to get a straight answer about it.</P><P>&nbsp;</P><P>If you actually want it to failover to another LDAP server, then you need to use a single server per LDAP Server Profile, and list all of those in an Authentication Sequence.</P> Wed, 29 Jan 2020 16:28:24 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/308535#M80038 fjwcash 2020-01-29T16:28:24Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/310875#M80493 <P>Actually, you are wrong.</P><P>&nbsp;</P><P>I recommend you to check this:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK</A></P><P>&nbsp;</P><P>Thanks anyway.</P> Wed, 12 Feb 2020 18:26:32 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-ldap-authentication-redundancy/m-p/310875#M80493 JuanAn 2020-02-12T18:26:32Z