03-14-2012 10:31 AM
Hi all,
does anybody have an exmple of howto authenticate a user based on it's group membership against active directory?
We have 3 kind of groups in AD which should represent the access level.
Could someone please post a small summary how to achieve this.
I tried alreday to setup LDAP Server Profile and the Authentication Profile but in the authentication profile I couldn't browse the allow list.
Maybe I missed something. When I continued with an any statement and setting up an account in the Adminsitrators tab, I wasn't able to authenticate this user.
Any ideas?
Thanks
Michael
03-16-2012 02:11 AM
Hi,
thanks for the reply.
But the upgrade didn't solve the problem.
Is there a step-by-step guid avaiable which I can follow, to check if I don't miss a setp?
Michael
03-16-2012 07:10 AM
Hi Michael...I thought the problem was that you couldn't browse the allow list in the Authen Profile. Are you able to browse the allow list under version 4.1.4? Does the LDAP admin authentication work if you set the allow list to 'All' by selecting the All checkbox?
Here's a guide on configuring Kerberos authentication in PANOS 4.0: https://live.paloaltonetworks.com/docs/DOC-1762. The procedure for the Authen Profile is basically the same as for LDAP. Maybe you can try to use Kerberos instead of LDAP.
03-16-2012 04:32 PM
I'm guessing he's asking for something that I was interested in.
I have Kerberos based authentication working, so if I setup a user called BOB, and I have an AD account with the same name I can authenticate using the BOB AD password - all good.
However, what I want is to be able to link an AD group without having to create the local account - so if I add TOM to the AD group it automatically allows TOM to login to the Palo without having to create the local account to map to...
My view anyway!
03-19-2012 01:50 AM
Hi,
the authentication is working with Kerberos thanks for the advice.
But what I'd like to have is a authentication based on the AD groups. That I don't need to create each account on the box.
Thanks
Michael
03-19-2012 10:54 AM
I had the same issue with 4.1 (4.1.3 in my case). The documentation in the admin guide and user id agent setup fail to tell you this, but if you want to use Kerberos and not LDAP then you have to use the old user id agent 3.1 for AD. Then it will work (provided the account being used to browse has appropriate permissions). The reason being (as explained to me by tech support) is that the PAN does all the user to group mapping in 4.1.x and it only supports that via LDAP at this time.
In order to make it work with Kerberos (using Kerberos authentication profiles, sequences, and server profiles) then you have to use the 3.1 user id agent for AD. Even using 4.1.3-2 user id agent in a proxy mode will break it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
