AD Group for Authentication

Reply
dusk2dusk
L1 Bithead

AD Group for Authentication

Let's say I have 150 users in an AD group and I need to give them all login access to my Palo Alto device farm.  How do I do that?


Accepted Solutions
ssharma
L5 Sessionator

In that case Radius authentication would be more appropriate as you do not have to configure Administrators information on the device. You can add/delete/modify users on back end. Each time engineers/system admin tries to access, firewall will contact Radius server and assign appropriate privileges to the users.

With LDAP, you will need to configure each 150 admins and modify each time there is a change with there privileges level. Hope this helps. Thank you.

View solution in original post


All Replies
ssharma
L5 Sessionator

dusk2dusk

This document has the information that you are looking for :

Using LDAP to Authenticate to the WebUI

This document is also applicable for CLI access as well. Thank you.

panos
L6 Presenter

you mean user's will login to paloalto ?

Just create an LDAP profile and use that with Authentication profile.

Then you'll choose that Auth. profile when creating users.

jambulo
L4 Transporter

One way is to use the User-ID Agent to map AD usernames to IP addresses(the PA reads the AD auth logs).  Then, use the Group Mapping function to pull in users/groups from AD.

EDIT: Just re-read your question.  The above will allow you to apply usernames to security policies, not the PA WebUI.

dusk2dusk
L1 Bithead

I guess I need to be more clear.  I have 150 network engineers\system admins I need to give access to my Palo Alto's for management/viewing purposes.  They are all in one AD group.  Given the size of this group and it constantly changing for user roles and terminations there is no way I can manually manage this number of individual entries in each device. 

ssharma
L5 Sessionator

In that case Radius authentication would be more appropriate as you do not have to configure Administrators information on the device. You can add/delete/modify users on back end. Each time engineers/system admin tries to access, firewall will contact Radius server and assign appropriate privileges to the users.

With LDAP, you will need to configure each 150 admins and modify each time there is a change with there privileges level. Hope this helps. Thank you.

View solution in original post

HULK
L7 Applicator
dusk2dusk
L1 Bithead

Thank You ssharma.  I guess I am wondering, with all the LDAP group info you can get in the Palo Alto along with direct Kerberos authentication, why on earth do we need to go through the laborious process of using customized RADIUS?  I mean, we're already pulling that group info into the LDAP profile.  Wouldn't it be a very easy thing to add group authentication straight off LDAP in PanOS code?  It just seems odd not to have group auth as an option for LDAP.  Unless there's a reason not to do it that way, I would like to submit a big Feature Request for this.  It's rubbing many shades of the shine off of "AD Integration" after coming from traditional like ScreenOS etc. 

ssharma
L5 Sessionator

I understand your concern. But unlike Radius, LDAP doesnot support VSA (vendor specific attribute), where PA can go out and query for users group association and their privilege levels. That is why we need to configure all users for LDAP.

You can certainly contact your local sales /system engineer for a feature request. Hope this helps. Thank you.

dusk2dusk
L1 Bithead

Thanks for the Suggestion HULK.  I located the RADIUS VSA document as well.  Trying to figure out if I want to go to 802.1x as well so maybe NPS is the way to go.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!