topic Problem with LDAP group usage in Authentication Profile in General Topics

Problem with LDAP group usage in Authentication Profile

ess_johanchristensson — Fri, 20 Mar 2020 21:39:59 GMT

Hi.

I have a strange issue with LDAP groups in our PA-5220 setup.

Our setup is two HS-clusters with each containing two PA-5220. All of the devices are fully managed using Panorama. All of the firewalls are running 9.0.5 and Panorama is also of version 9.0.5.

The configuration looks like this, I have configured a LDAP server object with all of our AD domain controllers, and set the "Base DN" to be the root of the domain. I have created a "Group mapping" containing a group for testing. I have created a "LDAP Authentication Profile" targeting the LDAP server configured earlier.

The problem is that the LDAP authentication only works if I have the "Allow list" set to "All". If I specify the AD group either using the NetBIOS name/short name or the full DN name, authentication will fail.

If I from the console list, the users in the group using "show user group name" all expected users are listed. If I test the Authentication Profile using the command "test authentication authentication-profile" it works when the allow list is set to All, but not if I a LDAP group is specified. The test fails based on "Do allow list check before sending out authentication request".

I have checked all of the KB I have been able to find and made sure that I for instance have all the LDAP paths in lower cases. I have compered it with another device with a working configuration, but at another company, but except for the paths and server names, everything is more or less the same.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClizCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloqCAC

What could be causing this issue? What to check next?

Best regards,
Johan Christensson

Re: Problem with LDAP group usage in Authentication Profile

reaper — Mon, 23 Mar 2020 12:24:34 GMT

is the dropdown in the authentication profile actually returning the group you want to use or do you need to enter it manually ? (if b, your ldap profile is not working)

also pay VERY close attention to how your users are identified: in the group mapping are your users UPN or sAM ? (user@domain or domain\user) and if you leave the auth profile to all and the user is logged in, how is he/she identified, same as group mapping or different ?

if different, you need to fix the user-id group mapping so it maps users in the SAME format as the auth profile (you can force it to upn or sam)

Re: Problem with LDAP group usage in Authentication Profile

ess_johanchristensson — Tue, 24 Mar 2020 23:06:36 GMT

@reaper, thanks for your reply.

Regarding the drop-down of LDAP groups, that depends if I try to configure this using Panorama or directly on the firewall. If using Panorama the drop-down doesn’t work, but if I go directly to the firewall it works.

In any case, your suggestion to pay close attention to how the users are identified. If I look in the monitor of users that are connected while the "Allow list" is set to "All", they are identified as “domain\username”. If I try my test LDAP Authentication profile and enter my name as domain/username the authentication works, even if I change "All" to a LDAP Group.

But this kind of makes me wonder about the "Username modifier". If I have entered the correct "User domain" and I set the "Username modifier" to "%USERDOMAIN%\%USERINPUT%", shouldn’t this mean that if I try with just username, the domain name would automatically be added transform it into “domain\username”? This does not seem to be happening.

If a on the LDAP Authentication profile that is actually being used for the GP configuration change the “Username modifier” change it from “%USERINPUT%" to "%USERDOMAIN%\%USERINPUT%" I cannot logon to the GP Portal any more. Doesn’t make any difference if I enter it as “domain\username” or “username”. If I change it back to being “%USERINPUT%” it works again if I enter “username” but not “domain\username”.

I fail to see to red thread in this.

Re: Problem with LDAP group usage in Authentication Profile

ess_johanchristensson — Tue, 05 May 2020 22:36:22 GMT

This issue have been put to the side for a while, but I decided to look into it again.

I can get this to work, filtering users based on group membership if the configuration is applied on the local cluster. But when the same configuration is applied though Panorama I cannot get it to work. And I have tested all variations I can think of, but the pattern is the same. A configuration that works on the local cluster will not work when applied trough Panorama.

The good news is that the "user filtering" on at least policy still seems works, even if the rule is configured though Panorama.

But my question here is: Is this "by design" or is this a bug?

Re: Problem with LDAP group usage in Authentication Profile

Mazarine — Thu, 03 Sep 2020 16:07:54 GMT

hi,

I have the same problem.

Tryed to get functionnal global protect with ldap auth (ad) by filtering with "advanced/allow list" in "device/authentication profiles"

Works fine if set-up localy on my devices but not when pushed via panorama.

i lost one day to do many tests to try to do it functionnal but nothing and i don't want set it up locally.

IS someone did the trick ?

panorama and panos on 9.4

Re: Problem with LDAP group usage in Authentication Profile

YordanYordanov — Wed, 11 Aug 2021 08:56:12 GMT

Do you find any solution on this issue?

Re: Problem with LDAP group usage in Authentication Profile

mhartyeos — Fri, 13 May 2022 10:38:15 GMT

Hi,

Have you checked your User-ID master device for your template stack?

You can do this by going to Panorama > Templates > select template stack and then select the active firewall as the master.

Commit the config to Panorama