Just to reiterate ,you can use Radius for AD-Group based Admin Authentication Refer: Radius Vendor Specific Attributes (VSA)
I had the exact same problem with my LDAP-login.
For domain, you need to enter the Netbios name, not the FQDN, as the users are identified as domain\username, not domain.com\username.
In your case, domain should simply be "csg", not "csg.es".
When logging in I would try to first go ahead without specifying the domain, and if that doesn't work, try domain\username.
If you've been having trouble with policies based on AD-groups not working, this will also solve that problem.
Another thing I noticed is the Bind DN, this is the entire DN, and it seems like you have typed the username of the Palo Alto firewall user?
To make sure you get this right, open Active Directory Users and Computers on your Active Directory server, select the user properties and go to the Attribute Editor. (go to View, and select Advanced Features to get this option)
Copy the contents of the field distinguishedName.
Hope this helps. :smileyhappy:
When you try to configure this using CLI ,it clearly suggests that Only RADIUS method is supported for
for non-local admins
# set deviceconfig system authentication-profile
<value> Authentication profile to use for non-local admins. Only RADIUS method is supported.
So if you need to use AD groups for admins not configured locally you need RADIUS.
I have a similar issue: I have several outside vendors defined as local users, they can log on to a 'captive portal' and then connect to a server in our DMZ. The users are created, enabled, and added to a user group; and also added to the users column of the policy allowing them to connect to the server - basically any source, these users, that destination, https. Of the two users I have added one is working fine but the other fails at the firewall authentication with the system log message: User '<name>' failed authentication. Reason: User is not in allowlist From: <remote IP>.
Anyone have any ideas where I should be looking for an answer?
Keep in mind that for creating new PA's admin, the amin account has to exist in your AD and you have to recreate it in the administrator menu in the palo.
As per my knowledge,.. you can't create group based authentication (correct me if i am wrong), instead create a admin with the unique user name as in the AD. Below snaps shows the same.
Create a auth profile.
Create a new administrator. In the below snap, Name : nithin is same as in the AD ( Name should match the user name in the AD)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!