This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal LDAP Authentication redundancy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal LDAP Authentication redundancy

Go to solution
JuanAn
L1 Bithead

‎01-28-2020 08:13 AM

Hello.

 

I have a Captive Portal that uses next Authentication Profile:

  • CP_Auth

Where:

Authentication Sequence:

  • CP_Auth - Auth_Mode_1, Auth_Mode_2

Authentication Profile:

  • Auth_Mode_1 - LDAP_1
  • Auth_Mode_2 - LDAP_2

LDAP Server Profile:

  • LDAP_1: 10.10.1.101, 10.10.1.102
  • LDAP_2: 10.10.2.103, 10.10.2.104

 

Base on our monitor logs, we noticed that all our authentications are using LDAP Server 10.10.1.101.

 

A few days ago we detected that server 10.10.1.101 had an issue and we decided to power off the machine.

 

After that, we were still seeing PA trying to reach this server and not trying to use the second LDAP server (10.10.1.102).

  1. Why was this happending? Shouldn't the firewall have to change to 10.10.1.102 as soon it detects timeout connections?
  2. Is there any way to configure redundancy in case of issue?

 

Kr.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
JuanAn
L1 Bithead
In response to fjwcash

‎02-12-2020 10:26 AM

Actually, you are wrong.

 

I recommend you to check this:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK

 

Thanks anyway.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
fjwcash
L4 Transporter

‎01-28-2020 09:14 AM

Create 4 separate LDAP Server Profiles.

Assign them to 4 separate Authentication Profiles.

List all 4 in the Authentication Sequence.

 

The LDAP Server Profiles don't fail-through to the next one.  It tries the first one, and only if it gets a specific response from it will it try the second one.

 

The Authentication Sequence is where you list all the servers you want it to try, and the order to try them in.  The first one to respond with "allowed" ends the sequence.  If none of them return an "allowed" response, then the authentication fails.

0 Likes Likes

Go to solution
JuanAn
L1 Bithead
In response to fjwcash

‎01-29-2020 08:22 AM

Many thanks for your response.

 

I don't understand... base on this document

 

"Configure at least two LDAP servers to provide redundancy"

 

What kind of redundancy are they referring in the previous document?

What is the condition that triggers the event of using the secondary LDAP?

Is timeout event not enough to triggers that?

 

Kr.

0 Likes Likes

Go to solution
fjwcash
L4 Transporter
In response to JuanAn

‎01-29-2020 08:28 AM

The way it was explained to us in the 8.1 training course was along the lines of "the first server in the list to respond after boot is the only one it will use" or something along those lines.  The instructor actually questioned why they allow multiple servers to be listed in a single Server Profile when it doesn't actually work the way you expect, but was never able to get a straight answer about it.

 

If you actually want it to failover to another LDAP server, then you need to use a single server per LDAP Server Profile, and list all of those in an Authentication Sequence.

0 Likes Likes

Go to solution
JuanAn
L1 Bithead
In response to fjwcash

‎02-12-2020 10:26 AM

Actually, you are wrong.

 

I recommend you to check this:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK

 

Thanks anyway.

0 Likes Likes
  • 1 accepted solution
  • 3865 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks