topic Re: Authentication using LDAP/AD in General Topics

Authentication using LDAP/AD

smithkopel — Thu, 09 Feb 2012 00:14:21 GMT

Hello,

I'm trying to get LDAP authentication working using Active directory. I have created an LDAP server profile, an Authentication Profile and Group Mapping settings profile. When I'm setting up the Group mappings I can go in and see the entire directory tree and pick groups so I know that it is connecting the the AD server and pulling information. However, in the Authentication Profile, if I try to pick users for the allow list, it doesn't find anything from the AD only local users. I have tried creating a firewall Administrator using the LDAP profile, and cannot login. When I look at the system log, it says "authentication profile not found for user".

I'm obviously missing something somewhere, but can't figure it out.

Thanks,

Kenton

Re: Authentication using LDAP/AD

rmonvon — Thu, 09 Feb 2012 02:18:17 GMT

Hi...Within the Authentication Profile, please make sure you set the authentication=LDAP and set the Server Profile=<LDAP server>. Then select 'all' for the Allow List. Please give that a try. Thanks.

Re: Authentication using LDAP/AD

smithkopel — Fri, 10 Feb 2012 21:54:02 GMT

Thanks @rmonvon but those are the settings I currently have.

Kenton

Re: Authentication using LDAP/AD

rmonvon — Sat, 11 Feb 2012 02:12:28 GMT

If you have 'all' selected under the Allow List, the authentication should work on all users. There is another post where some users could not get the group listing to display.

https://live.paloaltonetworks.com/thread/4083?tstart=0

Maybe you can check back on this other posting to see the result once they have contacted support. Thanks.

Re: Authentication using LDAP/AD

smithkopel — Mon, 13 Feb 2012 21:25:18 GMT

Thank-you for the link. There is a suggestion in that thread that this might be a bug in 4.1.2 (which we are running). Has it been determined that it is a bug?

Kenton

Re: Authentication using LDAP/AD

rmonvon — Mon, 13 Feb 2012 21:56:05 GMT

Yes, it has been identified as a bug and is targeted to be fixed in the next release, 4.1.3. The workaround is to set the Allow List to 'all' under the Authentication Profile and define a Security Rule to allow access only to the specific AD group. Thanks.

Re: Authentication using LDAP/AD

smithkopel — Mon, 13 Feb 2012 22:12:30 GMT

Thank-you. Should this workaround work for device Administrators as well? Because it doesn't. I haven't tried it with the Portal and VPN because I don't want to break our currently working configuration. However, when I try to add an Administrator using the same LDAP profile it will not authenticate users in AD.

Kenton

Re: Authentication using LDAP/AD

rmonvon — Mon, 13 Feb 2012 22:37:04 GMT

The bug is not allowing the AD groups to be displayed for you to select from. So leaving the Allow List='all' at default should work for admin authentication. I suggest that you delete the Authentication Profile that is not working and create a new Authentication Profile. Make sure to set the authentication=LDAP, select the LDAP server, and the login cn=sAMAccountName if this is an AD LDAP.

Re: Authentication using LDAP/AD

smithkopel — Tue, 14 Feb 2012 01:01:54 GMT

Still no luck. Attached is screenshot of my config. Error in system log says "authentication profile not found for the user from: <IP Address>.

Re: Authentication using LDAP/AD

rmonvon — Tue, 14 Feb 2012 04:48:56 GMT

Can you check the admin account setting please. The error appears to indicate the admin setting is missing the authen profile. If it looks correct and the problem persists, please contact support. Thanks.

Re: Authentication using LDAP/AD

smithkopel — Tue, 14 Feb 2012 17:45:33 GMT

Yes the profile is there. I'll call support.

Thanks,

Kenton

Re: Authentication using LDAP/AD

jeffrolc — Sun, 04 Mar 2012 08:10:14 GMT

Kenton,

did you get this working? im having the same issues.

Re: Authentication using LDAP/AD

smithkopel — Mon, 05 Mar 2012 17:42:21 GMT

No I haven't. I haven't called support yet because the real thing I'm trying to get to work is the AD authentication for the VPN and there is a bug in that. So I figured I'd just wait until they fix the bug. Hopefully that wil be relatively soon.

Kenton

Re: Authentication using LDAP/AD

Quinton — Fri, 25 May 2012 12:24:16 GMT

Having similiar issues at a customer.

@smithkopel - Did you manage to get this issue resolved?

Thanks

Re: Authentication using LDAP/AD

smithkopel — Fri, 25 May 2012 15:21:17 GMT

No I haven't worked on it any more. I intend to upgrade to a newer version of the OS in a couple of weeks and hopefully that will fix the root of the problem.

Kenton

Re: Authentication using LDAP/AD

kslyons — Fri, 25 May 2012 17:01:33 GMT

The CN should equal a real user such as administrator not samaccountname.

Re: Authentication using LDAP/AD

nmsecteam — Mon, 25 Jun 2012 03:31:17 GMT

I have had this similar issue and I figured out that, the user ID which you are using to authenticate to the AD, should be listed in PA locally as an administrator. Then the AD can be used to authenticate this account. As per my SE, they have submitted an enhancement request and will update you guys once I get to know anything.

Hope this helps

Re: Authentication using LDAP/AD

cmateam — Mon, 25 Jun 2012 15:42:41 GMT

I was having this same problem and switched to Kerberos (assuming it's an AD environment?). Worked like a charm.