LDAP Authentication Profile allow list 'all'

Reply
L1 Bithead

LDAP Authentication Profile allow list 'all'

When configuring an LDAP Authentication Profile what does the 'all' refer to in the allow list? 

L6 Presenter

Re: LDAP Authentication Profile allow list 'all'

All is a reference to any user.

if you only wanted members of a certain group or individual users  to use this authentication profile then you would add them here.

L1 Bithead

Re: LDAP Authentication Profile allow list 'all'

Thanks. And to clarify if a user isn't defined as an Administrator or as a Captive Portal or GlobalProtect user either explicitly or as a group member, then authentication will fail with something like an "Authentication profile not found for the user" message in the system log? Simply selecting 'all' in the allow list does not grant everyone the ability to login to the firewall, correct?

L6 Presenter

Re: LDAP Authentication Profile allow list 'all'

Yes  I think so...

 

I only say "think so" as i have never used any other option than "ALL". so i dont know what the system log would say...  but i'm sure you have already seen this...

 

To allow all only means that all users can attempt to authenticate against this profile... 

 

 

L6 Presenter

Re: LDAP Authentication Profile allow list 'all'

ok just tested the auth with a test profile without me in the allow list.

 

system log   ...

 

failed authentication for user "Me" Reason: user is not in allow list. auth profile Radius Test.

 

Boom! 

 

L1 Bithead

Re: LDAP Authentication Profile allow list 'all'

I did a similar test and got a similar result. 

 

AFAIK setting the allow list to 'all' and relying on authentication profiles is the cleanest way to go about provisioning permissions, but if I'm mistaken please let me know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!