This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Authenticating Panorama users with AD

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Authenticating Panorama users with AD

robert.b
L1 Bithead

‎07-13-2010 08:55 AM

Is it possible to authenticate users using their AD credentials when they log into Panorama? Short of giving administrators their own login into Panorama, I'm unable to track who has changed what.

I've read through the LDAP guide, but it focuses on the actual security devices and not Panorama.

Has anyone done this or know if it is possible?

Thanks

0 Likes Likes
6 REPLIES 6

mharding
L4 Transporter

‎07-13-2010 11:28 AM

Yes, but you'll need a RADIUS server. You'll add the Panorama to the RADIUS clients using the RADIUS standard client-vendor attributes. Then create a strong password for the shared secret. Write that down, and we'll come back to that next.

Then you'll need to add the RADIUS policies. For a Windows RADIUS server, we use the "Client Friendly Name Matches" and use the name of the RADIUS client you just added, and "Windows-Groups matches" for the group of users you want to authenticate.

Then click on the "Edit Profile" button. Under the authentication tab, check everything but "Encrypted authentication (CHAP)" and "Allows clients to connect without negotiation an authenticate method."

Then stop and start the RADIUS server.

Then create a RADIUS profile in Panorama. Added the IP address of the RADIUS server and enter to shared secret you assigned for that server. Then you should be able to add the administrative user's short name, and select the checkbox for RADIUS authentication. Commit the change and try it out.

I think that's everything we had to do to make it work.

robert.b
L1 Bithead
In response to mharding

‎07-14-2010 12:23 AM

Thanks, I'll see if we can get the Windows IAS installed.

Pity it can't just use LDAP!

0 Likes Likes

mharding
L4 Transporter
In response to robert.b

‎07-14-2010 06:00 AM

If it can, I haven't bothered. We set it up before PAN OS 3.1.

0 Likes Likes

mjacobsen
L4 Transporter
In response to mharding

‎07-23-2010 10:42 AM

You should be able to use LDAP directly for checking the account credentials but you would still need to setup the admin accounts within Panorama as it will only use the LDAP connection for checking the password. If you want to avoid setting up the accounts explicitly, you can use RADIUS VSAs to have Panorama (or the device) leverage directory information to determine which accounts should have access to the system (and what level of access).

Mike

0 Likes Likes

jhickey
L3 Networker
In response to mjacobsen

‎04-25-2011 12:15 PM

Mike, I cant get this to work. I set up AD Admin auth just like it is setup on my firewalls. I get invalid username/password.

0 Likes Likes

jhickey
L3 Networker
In response to jhickey

‎04-25-2011 12:21 PM

nevermind I got it.. DN of the id to query AD had a syntax error.

0 Likes Likes
  • 3832 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks