Auth Profile 8.1.x LDAP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Auth Profile 8.1.x LDAP

L3 Networker

We'd like our users to be able to log into Captive Portal or Globalprotect with user@domain.com or just user.  We've messed around with seemingly every combination of username modifiers, but have not been able to get it to work both ways.  Currently, logging in with user@domain.com works and the filter can see the user's AD group memberships.  In certain configs, we can get just 'user' to log in, but no user groups are pulled.  Does anyone have this working both ways? Currently on 8.1.2.  Can't do 8.1.3 due to a bug that wouldn't allow us to commit on the HA pair.

29 REPLIES 29

what domain settings do you have in your group mapping server profile?

 

https://imgur.com/a/YJn5erd

 

We had tried with the User Domain filled in here as well as the profile and instead of the profile, but can test again.  Group Include List is blank to include all

 

 

Testing the portal with just the 1 profile that has 

 

userPrincipalName

domain.com

%USERINPUT%@%USERDOMAIN%

 

resulted in the same behaiviour above without the groups.

 

ok i would test again with 1 profile and add same domain to user domain in group id stuff.

That combination did it!  I think when we had user domain filled out in the group ID section previously, we were using sAMAccountName instead of userPrincipalName for the profile's login attribute.  The 1 profile now works to match the user both ways.  Thank you!

Mirrored the exact same Auth Profile, User-ID Captive Portal (which is pointing to the new auth profile),  User-ID Group Mapping settings, & LDAP server to the main Palo which is also on the same PanOS version and it is not even normalizing there.  Wonder if ther is another setting elsewhere on the main device that I'm missing

Hmmmm. Please dont take all my “Likes” back, i have been admiring them all day.....

 

ok first things first, are you able to authenticate, forget the group stuff for now.

User id on zonarooney.....

Plenty of likes to go around it looks like...

 

User ID is enabled on every zone on the production box.  Looking at the authentication logs after publishing the change yesterday to make the categories in my previous reply identical, they were still successful authing with user@domain.com, but just user wouldn't auth at all and in the auth logs it showed it only normalized as 'user'.  I'll be able to re-publish tonight and test again when most users aren't going to be going through the box.

Ok so try user@anotherdomain.com, the auth modifier should ignore anotherdomain.com and replace with the user domain in server profile.

 

is it set to userprinciplename?

Tonight...... where are you based...

im in uk and already tonight...

It is set to userPrincipalName in the auth profile and my domain is included in the auth profile.  It did not modify when I tried user@fakedomain.com or just user.  In fact, when I just went through the logs I can see someone tried authing with user@gmail.com and it normalized as gmail.com\user instead of subbing in our domain.  The captive portal auth profile is absolutely pointing at the new auth profile like we've discussed including the modifier.

 

I'm east coast US.  5:50PM here

pan-settings.png

Are you pointing direct to an auth profile or auth order, perhaps just ensure you have the correct combo between the two.

i can see CP is pointing to auth new but worth a check...

 

 

i assume the commit went through without warning or failure.

this is my way of saying did you remember to commit... still catches me out now and again.

And that was my way of saying soz for teaching you how to suck eggs...

 

its a bit tricky now on a live system, can you setup a temp GP portal, this is the best way to test auth without upsetting users.

you can add new profiles etc and kinda start from scratch.

 

the command line stuff to test auth profiles is real useful sometimes but it ignores the modifier.

It's direct to a profile, not a sequence.  It was published successfully, but tried deleting the profile and recreating with same issue.  Same deal when trying to auth through GP using it.  Another team member is saying he believed it was working on 8.1.2 until we upgraded to 8.1.3 and then had to re-downgrade after a bug.  I wonder if there are some good debug commands to verify if any modification is actually happening

ok just to confirm, although i am testing mick@wrongdomain.com it is authing me by adding the correct domain but i still see the wrong domain in the PS system log.

 

the only way i can see to debug this is to change ldap to non secure/ssl and capture packets from the palo.

 

i am only on 8.08.

 

so you live and test versions are the same, it may just be that you downgraded on your live, may be worth replicating on your test box.

 

 

 

 

  • 7817 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!