Cli command to test Authentication Profile requiring exact match

Reply
L2 Linker

Cli command to test Authentication Profile requiring exact match

 

Hey All

 

While working a support case for a customer, I've come accross an odd situation and before I go log to Palo TAC I wondered if anyone else had seen this/was aware of it:

 

So Authentication profile configured with an allow list restricted for one LDAP group. I can use that Auth Policy in say GlobalProtect and sure enough- only users who are members of that group can connect to the portal.

 

> show user user-ids all

-shows the list of users pulled in by User/Group mapping (so the firewall knows a user is in that group), but when I run;

 

> test authentication authentication-profile X username Y ...etc.etc.

- this always fails ("User Y is not allowed with Authentication Profile X"), unless I include the specific username in the allow list in the Auth Profile, or I allow 'All'. With and without appending domain info - same result.

 

Looking at the documentation available - all examples of testing an Auth Profile using LDAP, matches the group 'All'
(e.g https://www.paloaltonetworks.com/documentation/80/pan-os/cli-gsg/use-the-cli/test-the-configuration/...):

 

"Do allow list check before sending out authentication request...
name "bzobrist" is in group "all" ..."


(its never a restricted LDAP group)

 

I did see here :

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-authentica...

 

-that "Because you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow Listentry."

I am seeing this behaviour with LDAP, both in the customer's environment and I have replicated it simply enough in our lab.

Anyone restricted an Auth Profile to an LDAP group and then been able to run the '>test authentication...' cli command  and have it work?

 

Many Thanks

 

Alex

L5 Sessionator

Re: Cli command to test Authentication Profile requiring exact match

Do you get the same behavior if you add both the long and short group name to the allow list?

 

Considering the default group mapping refresh interval (default 60 minutes) you ,may need to initiate a manual group mapping refresh via:

 

debug user-id refresh group-mapping all

L2 Linker

Re: Cli command to test Authentication Profile requiring exact match

Hi Luke

 

The Group-mapping is in place; that user (*domain\username) appears (when I run > show user user-ids) as a member of the correct group (the one named in the Auth profile), so its not that its not up to date. 

 

I can run the command with > test authentication authentication-profile username *domain\username    or just *username - and unless that specific username is listed in the Auth profile Allow lIst the auth test fails. The fact they are a member of that group (as prove by '> show user user-ids' output proves) doesn't seem to be taken inot account. 

 

To answer your question- yes; either long name or short name (*domain\username or  *username) in the Allow List works the same  (my Auth Profile is set ot append it automatically) .  

 

Thanks 

 

Alex 

L1 Bithead

Re: Cli command to test Authentication Profile requiring exact match

According to this post it is/was a bug, the 'test authentication authentication-profile' command does not work properly.
Unfortunately there is no bug ID mentioned and I do not know if it is already fixed or not.

 

L2 Linker

Re: Cli command to test Authentication Profile requiring exact match

Thanks Bud!

 

Glad its not just me.!

 

 

****Edited****

 

OK, so there is a confirmed bug with the test command:

 

> test authentication authentiocation-profile...

 

resulting in the following error:

 

"Allow list check error:
Target vsys is not specified, user "silentbob" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Administrator is not allowed with authentication profile LDAP"

 

(membership of LDAP groups is ignored in the authentication profile allow list). 

 

Its registered under PAN-80160 - but this is not publicly documented (not in Limitations or known issues of 8.0). 

Hopefully search engines will bring people here.... :)

 

The bug is resolved in 8.1

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!