AD/LDAP admin authentication in 4.1

Reply
Not applicable

AD/LDAP admin authentication in 4.1

Hi all,

does anybody have an exmple of howto authenticate a user based on it's group membership against active directory?

We have 3 kind of groups in AD which should represent the access level.

Could someone please post a small summary how to achieve this.

I tried alreday to setup LDAP Server Profile and the Authentication Profile but in the authentication profile I couldn't browse the allow list.

Maybe I missed something. When I continued with an any statement and setting up an account in the Adminsitrators tab, I wasn't able to authenticate this user.

Any ideas?

Thanks

Michael

L6 Presenter

Hi...You should upgrade to PAN-OS 4.1.4 and give it another try.  Thanks.

Not applicable

Hi,

thanks for the reply.

But the upgrade didn't solve the problem.

Is there a step-by-step guid avaiable which I can follow, to check if I don't miss a setp?

Michael

L6 Presenter

Hi Michael...I thought the problem was that you couldn't browse the allow list in the Authen Profile.  Are you able to browse the allow list under version 4.1.4?  Does the LDAP admin authentication work if you set the allow list to 'All' by selecting the All checkbox?

Here's a guide on configuring Kerberos authentication in PANOS 4.0:  https://live.paloaltonetworks.com/docs/DOC-1762.  The procedure for the Authen Profile is basically the same as for LDAP. Maybe you can try to use Kerberos instead of LDAP.

L4 Transporter

I'm guessing he's asking for something that I was interested in.

I have Kerberos based authentication working, so if I setup a user called BOB, and I have an AD account with the same name I can authenticate using the BOB AD password - all good.

However, what I want is to be able to link an AD group without having to create the local account - so if I add TOM to the AD group it automatically allows TOM to login to the Palo without having to create the local account to map to...

My view anyway!

L6 Presenter

Within the Authentication Profile, you can permit the group(s) under the Allow List that will have admin access.  Under Device tab ==> Setup ==> Authentication Settings, you then select the Authen Profile to use.  Please give that a try.  Thanks.

Not applicable

Hi,

the authentication is working with Kerberos thanks for the advice.

But what I'd like to have is a authentication based on the AD groups. That I don't need to create each account on the box.

Thanks

Michael

Not applicable

I had the same issue with 4.1 (4.1.3 in my case). The documentation in the admin guide and user id agent setup fail to tell you this, but if you want to use Kerberos and not LDAP then you have to use the old user id agent 3.1 for AD. Then it will work (provided the account being used to browse has appropriate permissions). The reason being (as explained to me by tech support) is that the PAN does all the user to group mapping in 4.1.x and it only supports that via LDAP at this time.

In order to make it work with Kerberos (using Kerberos authentication profiles, sequences, and server profiles) then you have to use the 3.1 user id agent for AD. Even using 4.1.3-2 user id agent in a proxy mode will break it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!