Administrator Authentication with ldap

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Administrator Authentication with ldap

L3 Networker

Trying to create role based user account for monitoring the firewall. I tried to use ldap authentication. However it seems there is some issue with using ldap

pix1.PNG

I am facing this error after trying to authentication with correct credentials and below are the logs

pix2.PNG

Although it shows authenticated, but still the invalid username and / or password on the GUI

Is it that it can't be done using ldap?

Regards

Aamir Khan

1 accepted solution

Accepted Solutions

Hi Chetan,

Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.

  • If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.

radius.PNG

Regards

Aamir Khan

View solution in original post

15 REPLIES 15

L7 Applicator

Hello Aamir,

Could you please let us know the PAN OS version running on this PAN firewall and is the  username contains non-alphanumeric characters such as "/"...?

Thanks

L6 Presenter

You may want to refer following document for more detail.

Defining Granular Admin Role Profiles

I am using 6.0.3, however i test it on 6.0.1 with same result.The password is alpha numeric

L6 Presenter

Lets say you want to create Role based authentication for user Robert, than make sure Devcie > Administrator > & Name is Robert, if its different it will not work.

Good news is it works with LDAP.

Role_Based2.png

The Problem is I am not using predefined roles. I am having custom roles.

pix3.PNGpix4.PNGpix5.PNG

Hi Westcon,

For Custom Role and Standard Role, configuration is same. So I think that is not the problem.

Do you have runtime.in/iseadmin or iseadmin in Administrator filed? I think this is the issue.

Regards,

Hardik Shah

Instead iseadmin can you try "runtime.in/iseadmin " ?

iseadmin is a user in ldap. However I want to give this user access to the firewall for monitoring only.

L5 Sessionator

Hello Westcon,

For non local admins LDAP is not supported and only Radius is supported for remote login users. I tested this in lab and found similar results:

Capture.PNG

You can also see that in the window (Device > Setup > Authentication settings) while mentioning the authentication profile there is a statement that "Only Radius is supported"

Thanks

Chetan

Harsha,

It did the trick having the username in the administrator profile. But the problem is if I have 3 users then I have to create 3 administrator profile each with the username.

I can't create a common template name

2014-07-03 05:50:42.747 +0400 Running cmd: insert into admusers values (?, ?)

2014-07-03 05:50:42.747 +0400 Error:  pan_authd_update_admin_user_in_db(pan_localdb_utils.c:186): Failed to add user:iseuser1 (uid:508) to /opt/pancfg/mgmt/global/db/admusers.db

2014-07-03 05:50:42.747 +0400 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: runtime.in\iseuser1 authresult auth'ed

2014-07-03 05:50:42.748 +0400 Request received to unlock shared/Ldap_admin/runtime.in\iseuser1

2014-07-03 05:50:42.748 +0400 User 'runtime.in\iseuser1' authenticated.   From: 80.227.87.218.

2014-07-03 05:50:42.748 +0400 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-07-03 05:50:42.749 +0400 debug: pan_authd_service_req(pan_authd.c:3322): Authd:get group request

2014-07-03 05:50:42.750 +0400 debug: pan_authd_handle_group_req(pan_authd.c:3210): Got user role/adomain / for user iseuser1

Regards

Aamir Khan

Hi Aamir,

You can use the same authentication profile for all the users. Can you explain in more detail why you cannot create a common template name ?

-Chetan

Hi Chetan,

Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.

  • If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.

radius.PNG

Regards

Aamir Khan

  • 1 accepted solution
  • 5955 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!