- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-02-2014 05:55 PM
Trying to create role based user account for monitoring the firewall. I tried to use ldap authentication. However it seems there is some issue with using ldap
I am facing this error after trying to authentication with correct credentials and below are the logs
Although it shows authenticated, but still the invalid username and / or password on the GUI
Is it that it can't be done using ldap?
Regards
Aamir Khan
07-02-2014 10:37 PM
Hi Chetan,
Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.
Regards
Aamir Khan
07-02-2014 06:05 PM
Hello Aamir,
Could you please let us know the PAN OS version running on this PAN firewall and is the username contains non-alphanumeric characters such as "/"...?
Thanks
07-02-2014 06:10 PM
You may want to refer following document for more detail.
07-02-2014 06:14 PM
I am using 6.0.3, however i test it on 6.0.1 with same result.The password is alpha numeric
07-02-2014 06:16 PM
Lets say you want to create Role based authentication for user Robert, than make sure Devcie > Administrator > & Name is Robert, if its different it will not work.
Good news is it works with LDAP.
07-02-2014 06:22 PM
The Problem is I am not using predefined roles. I am having custom roles.
07-02-2014 06:26 PM
Hi Westcon,
For Custom Role and Standard Role, configuration is same. So I think that is not the problem.
Do you have runtime.in/iseadmin or iseadmin in Administrator filed? I think this is the issue.
Regards,
Hardik Shah
07-02-2014 06:27 PM
Instead iseadmin can you try "runtime.in/iseadmin " ?
07-02-2014 06:30 PM
iseadmin is a user in ldap. However I want to give this user access to the firewall for monitoring only.
07-02-2014 06:41 PM
Hello Westcon,
For non local admins LDAP is not supported and only Radius is supported for remote login users. I tested this in lab and found similar results:
You can also see that in the window (Device > Setup > Authentication settings) while mentioning the authentication profile there is a statement that "Only Radius is supported"
Thanks
Chetan
07-02-2014 06:46 PM
Harsha,
It did the trick having the username in the administrator profile. But the problem is if I have 3 users then I have to create 3 administrator profile each with the username.
I can't create a common template name
2014-07-03 05:50:42.747 +0400 Running cmd: insert into admusers values (?, ?)
2014-07-03 05:50:42.747 +0400 Error: pan_authd_update_admin_user_in_db(pan_localdb_utils.c:186): Failed to add user:iseuser1 (uid:508) to /opt/pancfg/mgmt/global/db/admusers.db
2014-07-03 05:50:42.747 +0400 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: runtime.in\iseuser1 authresult auth'ed
2014-07-03 05:50:42.748 +0400 Request received to unlock shared/Ldap_admin/runtime.in\iseuser1
2014-07-03 05:50:42.748 +0400 User 'runtime.in\iseuser1' authenticated. From: 80.227.87.218.
2014-07-03 05:50:42.748 +0400 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
2014-07-03 05:50:42.749 +0400 debug: pan_authd_service_req(pan_authd.c:3322): Authd:get group request
2014-07-03 05:50:42.750 +0400 debug: pan_authd_handle_group_req(pan_authd.c:3210): Got user role/adomain / for user iseuser1
Regards
Aamir Khan
07-02-2014 07:30 PM
Hi Aamir,
You can use the same authentication profile for all the users. Can you explain in more detail why you cannot create a common template name ?
-Chetan
07-02-2014 10:37 PM
Hi Chetan,
Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.
Regards
Aamir Khan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!