we have PA in production.The problem is VPN users dont pass by certain authentication profile.The issue is that when we point user it is ok but when we point some group it fails to authenticate
we test through CLI and that is result
test authentication authentication-profile VPN_LDAP username eradmin password
Enter password :
Allow list check error:
Target vsys is not specified, user "eradmin" is assumed to be configured with
a shared auth profile.
Do allow list check before sending out authentication request...
User eradmin is not allowed with authentication profile VPN_LDAP
This eradmin user is the member of VPN-USERS group.When we point this user separately it is ok but inside the group it fail to authenticate
Model is 820
PAN OS- 8.0.7
If you run the command as stated below, switching the info out with your group, does the firewall properly poll the group and display the requesting user?
show user group name cn=palo--lab-admin-users,ou=groups,ou=lab-enviroment,dc=lab,dc=root,dc=local
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!