admin auth failed

Reply
Highlighted
L0 Member

admin auth failed

Hi Support team,

I tried to authenticate admin with RADIUS, but failed.

The following message appeared in System logs:

- User 'komure' failed authentication. Reason: User is  not in allowlist

What does it mean?

device : PA-500

PANOS : 3.1.0

Regards,

Tomoyuki Komure

Tags (1)
Highlighted
Not applicable

I add the same error but with ldap and ssl, and i switch the authentication profile (that i add LDAP) and switch to authentication none. I add to include the group where the users belongs to. In radius you can check the user group that the user belongs.

And worked for me.

Thks.

Helder Teixeira

Highlighted
Not applicable

last update i´ve got some users working with; (DOMAIN\username) and others with (DOMAIN\\username) give it and try.

Highlighted
L4 Transporter

If you are using RADIUS for authentication, it's going to be two parts. First, you must allow the RADIUS authentication. I would pick a global group like "Authenticated Users" or "Domain Users" in your RADIUS policy.

Then you have to allow the user in either the Administrators list under the Device tab, or the Authentication Profile you are using for your SSL VPN.

Highlighted
Not applicable

Could some one please post a working example of administrator authentication via LDAP?

I have many non-Palo devices working like a treat but I can't seem to get the Palo to work!

I can't even find anything in the log and doing a debug ldap-server stats shows the server as not running!

If there a better way to test? Some log that may indicate as to why it is not making a connection e.g. invalid bind DN etc?

Thanks

Highlighted
L4 Transporter

I believe you can only use RADUIS if you want to authenticate an administrative user to the PAN Device. I see two options when configuring a new administrative user, Local DB and RADIUS.

You can use the PAN Agent to authenticate users using LDAP if you want to setup security policies with source users.

Highlighted
L6 Presenter

Starting in version 3.1.x, you can define authentication profile which uses local DB, Radius, or LDAP.  The administrators can be authenticated to the profile of your choosing and admin auth can use  local DB, Radius, or LDAP.

Highlighted
L1 Bithead

Hi,

I've been strugling with this also but I think I got this working (adding the user 'all' to the allow list,...).

Please see attached PDF file for a step by step guide en let me know the result.

regards,

Philippe

Highlighted
L6 Presenter

Thank you for the write-up and sharing with all of us!!

Highlighted
L3 Networker

Thank you. This helps!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!