Panorama Admin authentication using AD groups

Reply
L1 Bithead

Panorama Admin authentication using AD groups

When I tried to put the all or username in authentication profile allow list . The user can login into panorama but when I tried to put on group it does not work and keep reporting that its failed to apply the group . I have tried all combination but does not work.

 

According to the following link, it should be working but it does not like AD Group name.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-authentication-...

I am trying to use "allow list" in Panorama Authentication profile but it does not work.

Allow List
Click Add and select all or select the specific users and groups that can authenticate with this profile. When a user authenticates, the firewall matches the associated username or group against the entries in this list. If you don't add entries, no users can authenticate.
To limit authentication to only the users who have legitimate business access needs and reduce the attack surface, specify users or user groups, don't use all.
If you entered a User Domain value, you don't need to specify domains in the Allow List. For example, if the User Domain is businessinc and you want to add user admin1 to the Allow List, entering admin1 has the same effect as entering businessinc\admin1. You can specify groups that already exist in your directory service or specify custom groups based on LDAP filters.

 

Error Message:

===========
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'cn=group1,dc=test,dc=homelab') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'cn=group2,dc=test,dc=homelab') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'group1') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'group1@test.homelab') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'group2') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'group2@test.homelab') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'test.homelab/group1') failed
2020-01-15 20:41:55.375 +0000 Error: pan_authd_users_get_id_cb(pan_auth_cache_allowlist_n_grp.c:93): pan_idmgr_get_id(22, 'test.homelab/group2') failed

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!