https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11874#M8722 <HTML><HEAD></HEAD><BODY><P>Yes, I'd completed this, as per one of the other articles (didn't read the small print when I was originally setting it up).</P><P></P><P>However, it's now working, removing and putting the configuration must have got me most of the way there, but I just rechecked the LDAP configuration as you outlined to check and noticed that SSL was ticked, which is something I must have missed during the re-inputting (previously unticked, and running on port 389, and not 636 for SSL).</P><P></P><P>I unchecked this and it's now working. Not sure if it was related, but I originally setup the auth profile with spaces in the names until I read another article about PanOS not supporting that (but allowing you to put it anyway), and changed the profile name to without spaces. As already mentioned, maybe removing it all and starting from scratch is the answer.</P><P></P><P>Thanks for your input</P></BODY></HTML> Tue, 26 Mar 2013 13:27:16 GMT johndickson 2013-03-26T13:27:16Z https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11872#M8720 <HTML><HEAD></HEAD><BODY><P>Running a PA-500 on software version 5.0.2</P><P></P><P>I was wondering if anyone could point me in the right direction, I'm trying to get a captive portal working that using LDAP groups to provide access through the policy.</P><P>The LDAP servers are configured ok, as I can browse the OUs and add the necessary CNs, and if I run the show user group name "cn=groupname,dc=domain,dc=local" if works, meaning that bind username and LDAP setup must be fine. The captive portal works fine if I use the local db.</P><P></P><P>The LDAP auth profile is setup:</P><P></P><P>Name : name_with_no_spaces</P><P>Allow List : all</P><P>Authentication : LDAP</P><P>Server Profile : LDAPAccounts</P><P>Login Attribute : sAMAccountName</P><P>Password Expiry Warning : 7</P><P></P><P>I've had a look through <A __default_attr="4417" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> and I've verified that the bind account is fine, as I've changed the password and can see the Group Mapping refresh failing so reverted it back, the LDAP servers are reachable (otherwise I wouldn't be able to browse the OUs in the group mapping), and the user does exist as it's my account which I use day to day.</P><P></P><P>As per <A href="https://live.paloaltonetworks.com/message/11333">Captive Portal with LDAP</A> I tried recreating it all again from scratch and still no joy.</P><P></P><P>The authd.log shows (username, domain and IP changed to generic)</P><P></P><P>Mar 26 13:00:54 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: user1</P><P>Mar 26 13:00:54 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request &lt;'vsys1','DomainAuthProfile','user1'&gt;</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1</P><P>Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1 failed - trying other hosts</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1</P><P>Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1 failed - trying other hosts</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_2</P><P>Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_3</P><P>Mar 26 13:00:54 authentication failed for user &lt;vsys1,DomainAuthProfile,domain\user1&gt;</P><P>Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: domain\user1 authresult not auth'ed</P><P>Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1409): Alarm generation set to: False.</P><P>Mar 26 13:00:54 User 'domain\user1' failed authentication.&nbsp; Reason: Invalid username/password From: ::ffff:192.168.1.10.</P><P>Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode</P><P>Mar 26 13:00:54 pan_authd_generate_system_log(pan_authd.c:902): CC Enabled=False</P><P>Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode</P><P></P><P>If anyone has any ideas of what else I could try, please let me know.</P></BODY></HTML> Tue, 26 Mar 2013 13:12:59 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11872#M8720 johndickson 2013-03-26T13:12:59Z https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11873#M8721 <HTML><HEAD></HEAD><BODY><P>Be sure you write Netbios name of AD at LDAPAccounts configuration (domain tab)</P></BODY></HTML> Tue, 26 Mar 2013 13:21:31 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11873#M8721 Retired Member 2013-03-26T13:21:31Z https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11874#M8722 <HTML><HEAD></HEAD><BODY><P>Yes, I'd completed this, as per one of the other articles (didn't read the small print when I was originally setting it up).</P><P></P><P>However, it's now working, removing and putting the configuration must have got me most of the way there, but I just rechecked the LDAP configuration as you outlined to check and noticed that SSL was ticked, which is something I must have missed during the re-inputting (previously unticked, and running on port 389, and not 636 for SSL).</P><P></P><P>I unchecked this and it's now working. Not sure if it was related, but I originally setup the auth profile with spaces in the names until I read another article about PanOS not supporting that (but allowing you to put it anyway), and changed the profile name to without spaces. As already mentioned, maybe removing it all and starting from scratch is the answer.</P><P></P><P>Thanks for your input</P></BODY></HTML> Tue, 26 Mar 2013 13:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-username-password-with-ldap-for-captive-portal/m-p/11874#M8722 johndickson 2013-03-26T13:27:16Z