admin auth failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

admin auth failed

L0 Member

Hi Support team,

I tried to authenticate admin with RADIUS, but failed.

The following message appeared in System logs:

- User 'komure' failed authentication. Reason: User is  not in allowlist

What does it mean?

device : PA-500

PANOS : 3.1.0

Regards,

Tomoyuki Komure

15 REPLIES 15

Not applicable

I add the same error but with ldap and ssl, and i switch the authentication profile (that i add LDAP) and switch to authentication none. I add to include the group where the users belongs to. In radius you can check the user group that the user belongs.

And worked for me.

Thks.

Helder Teixeira

last update i´ve got some users working with; (DOMAIN\username) and others with (DOMAIN\\username) give it and try.

L4 Transporter

If you are using RADIUS for authentication, it's going to be two parts. First, you must allow the RADIUS authentication. I would pick a global group like "Authenticated Users" or "Domain Users" in your RADIUS policy.

Then you have to allow the user in either the Administrators list under the Device tab, or the Authentication Profile you are using for your SSL VPN.

Could some one please post a working example of administrator authentication via LDAP?

I have many non-Palo devices working like a treat but I can't seem to get the Palo to work!

I can't even find anything in the log and doing a debug ldap-server stats shows the server as not running!

If there a better way to test? Some log that may indicate as to why it is not making a connection e.g. invalid bind DN etc?

Thanks

I believe you can only use RADUIS if you want to authenticate an administrative user to the PAN Device. I see two options when configuring a new administrative user, Local DB and RADIUS.

You can use the PAN Agent to authenticate users using LDAP if you want to setup security policies with source users.

Starting in version 3.1.x, you can define authentication profile which uses local DB, Radius, or LDAP.  The administrators can be authenticated to the profile of your choosing and admin auth can use  local DB, Radius, or LDAP.

L1 Bithead

Hi,

I've been strugling with this also but I think I got this working (adding the user 'all' to the allow list,...).

Please see attached PDF file for a step by step guide en let me know the result.

regards,

Philippe

Thank you for the write-up and sharing with all of us!!

Thank you. This helps!

Not applicable

Brilliant.  Smiley Happy  Thanks for the great write-up.  I have spent a few hours troubling with this.

Arnljot

I'm still struggling trying to authenticate a group of users as Palo Alto admins. These users are not in any one particular group. I get the error 'Authentication profile not found for the user' . I just want to create a list of ids for Palo Alto to query AD for using LDAP. Is the problem that PA will only search for groups or at a particular search base DN ? It cant search nested groups.

I also am lost on how to turn debugging on just for this process. It would be good to see what the PA queries for.

A 'test authentication' applet in the GUI might be a good thing to add.

Any help would be appreciated.

You can define an Authentication Profile, use LDAP for the auth method, and type in 'all' for the allow user.  The 'all' means any users in your AD/LDAP will valid username/password will be permit as an admin.  I use this to for testing only.  NOTE: 'all' is really all without the quotes.

Once that works, you then permit specific users or groups to be admins by replacing the 'all' with actual AD usernames/groups.

you mean in the auth profile I add all ? Like in the attached picture ? Cause that didnt work.

What do you use for login attribute ? sAMAccountName ?

That's correct - for LDAP, you also need to add the user here:

Screen shot 2011-03-02 at 18.51.50.png

This is why RADIUS can be more scaleable if you have a high number of admins:

https://live.paloaltonetworks.com/docs/DOC-1701

Thanks

James

  • 14930 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!