This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Administrator Authentication with ldap

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Administrator Authentication with ldap

Go to solution
Westcon2
L3 Networker

‎07-02-2014 05:55 PM

Trying to create role based user account for monitoring the firewall. I tried to use ldap authentication. However it seems there is some issue with using ldap

pix1.PNG

I am facing this error after trying to authentication with correct credentials and below are the logs

pix2.PNG

Although it shows authenticated, but still the invalid username and / or password on the GUI

Is it that it can't be done using ldap?

Regards

Aamir Khan

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Westcon2
L3 Networker
In response to bat

‎07-02-2014 10:37 PM

Hi Chetan,

Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.

  • If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.

radius.PNG

Regards

Aamir Khan

View solution in original post

0 Likes Likes
15 REPLIES 15

Go to solution
HULK
L7 Applicator

‎07-02-2014 06:05 PM

Hello Aamir,

Could you please let us know the PAN OS version running on this PAN firewall and is the  username contains non-alphanumeric characters such as "/"...?

Thanks

0 Likes Likes

Go to solution
hshah
L6 Presenter

‎07-02-2014 06:10 PM

You may want to refer following document for more detail.

Defining Granular Admin Role Profiles

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to HULK

‎07-02-2014 06:14 PM

I am using 6.0.3, however i test it on 6.0.1 with same result.The password is alpha numeric

0 Likes Likes

Go to solution
hshah
L6 Presenter

‎07-02-2014 06:16 PM

Lets say you want to create Role based authentication for user Robert, than make sure Devcie > Administrator > & Name is Robert, if its different it will not work.

Good news is it works with LDAP.

0 Likes Likes

Go to solution
hshah
L6 Presenter
In response to hshah

‎07-02-2014 06:18 PM

Role_Based2.png

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to hshah

‎07-02-2014 06:22 PM

The Problem is I am not using predefined roles. I am having custom roles.

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to Westcon2

‎07-02-2014 06:26 PM

pix3.PNGpix4.PNGpix5.PNG

0 Likes Likes

Go to solution
hshah
L6 Presenter
In response to Westcon2

‎07-02-2014 06:26 PM

Hi Westcon,

For Custom Role and Standard Role, configuration is same. So I think that is not the problem.

Do you have runtime.in/iseadmin or iseadmin in Administrator filed? I think this is the issue.

Regards,

Hardik Shah

0 Likes Likes

Go to solution
hshah
L6 Presenter
In response to Westcon2

‎07-02-2014 06:27 PM

Instead iseadmin can you try "runtime.in/iseadmin " ?

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to hshah

‎07-02-2014 06:30 PM

iseadmin is a user in ldap. However I want to give this user access to the firewall for monitoring only.

0 Likes Likes

Go to solution
bat
L5 Sessionator

‎07-02-2014 06:41 PM

Hello Westcon,

For non local admins LDAP is not supported and only Radius is supported for remote login users. I tested this in lab and found similar results:

Capture.PNG

You can also see that in the window (Device > Setup > Authentication settings) while mentioning the authentication profile there is a statement that "Only Radius is supported"

Thanks

Chetan

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to bat

‎07-02-2014 06:46 PM

Harsha,

It did the trick having the username in the administrator profile. But the problem is if I have 3 users then I have to create 3 administrator profile each with the username.

I can't create a common template name

2014-07-03 05:50:42.747 +0400 Running cmd: insert into admusers values (?, ?)

2014-07-03 05:50:42.747 +0400 Error:  pan_authd_update_admin_user_in_db(pan_localdb_utils.c:186): Failed to add user:iseuser1 (uid:508) to /opt/pancfg/mgmt/global/db/admusers.db

2014-07-03 05:50:42.747 +0400 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: runtime.in\iseuser1 authresult auth'ed

2014-07-03 05:50:42.748 +0400 Request received to unlock shared/Ldap_admin/runtime.in\iseuser1

2014-07-03 05:50:42.748 +0400 User 'runtime.in\iseuser1' authenticated.   From: 80.227.87.218.

2014-07-03 05:50:42.748 +0400 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-07-03 05:50:42.749 +0400 debug: pan_authd_service_req(pan_authd.c:3322): Authd:get group request

2014-07-03 05:50:42.750 +0400 debug: pan_authd_handle_group_req(pan_authd.c:3210): Got user role/adomain / for user iseuser1

Regards

Aamir Khan

0 Likes Likes

Go to solution
bat
L5 Sessionator
In response to Westcon2

‎07-02-2014 07:30 PM

Hi Aamir,

You can use the same authentication profile for all the users. Can you explain in more detail why you cannot create a common template name ?

-Chetan

0 Likes Likes

Go to solution
Westcon2
L3 Networker
In response to bat

‎07-02-2014 10:37 PM

Hi Chetan,

Since the firewall does not support ldap authentication for non-local users. So even if showing successfully authenticated in the logs, It tries to look in to the administrator tab if there is any username of the same name which it authenticated.

  • If we use custom name, it won't find the username and will show the error "invalid username or password". So that is why we need to create individual administrator profile corresponding to the name we authenticated or else use radius.

radius.PNG

Regards

Aamir Khan

0 Likes Likes
  • 1 accepted solution
  • 5110 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks