Authentication seems to be the most difficult task....

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Authentication seems to be the most difficult task....

No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

!

!

!

dmin@TN-19023-PA500-01> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN : ldap.read@domain.lan
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
10.100.6.205(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
10.100.6.210(636)
10.100.21.210(636)
10.110.6.210(636)
Number of Groups: 1
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

admin@PA500-01>

!

!

!

AD group.PNGAuth_Profile.PNGseq.PNG

 

 


Accepted Solutions
Highlighted
L7 Applicator

according to cli output the auth is working for ldap.

 

so have we solved the first part of the problem, recognising users and groups for auth profiles.

 

if so then the username must match exactly on local database as these are case sensitive.

View solution in original post


All Replies
Highlighted
L7 Applicator

show user group name "cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan"

 

can you see group members?

Highlighted
L3 Networker

Matching the syntax of your accounts and groups is crucial for LDAP requests.  You can find the proper synatax for your user or group by using the "Distinguished Name" field in "Active Directory Users and Computers".

 

Open up "Active Directory Users and Computers" and right click on your root domain.  Choose the "Find" option from the pop-up menu.  From the drop-down menu "View" select "Choose Columns" and then add the column for "Distinguished Name".

 

Search for your account.  In this example we have a user with the word Palo in the name.  The search box will show you the syntax for an LDAP query (example: CN=xxxxxx, OU=yyyyyy, DC=com).  This will have your specific information required for the Palo Alto.

LDAP-Info.png

 

Highlighted
L4 Transporter

That command returns nothing. So I assume it cant see it?

Highlighted
L7 Applicator

if the PA cannot see it then it will not allow you to even try to auth, could be a number of things but for basics I would try:-

 

show user group list

 

this is just to make sure you have the correct group name in the first place.

 

then try to remove admins from the auth profile, open it up to "any" and redo the "test authentication authentication-profile" again.

 

also... to avoid vsys error....    set system setting target-vsys vsys1

 

Mick.

Highlighted
L7 Applicator

sorry the show user group list may not help... as groups available was in your first post.

 

it may be that the bind account does not have enough permissions to see the users in the group, just the group lists.

Highlighted
L4 Transporter

The show user group list only shows the user/groups in the Group Mapping Settings which from what I am reading this is not needed when doing WEB GUI auth. 

 

Also that command you mention doesnt exist:

 

PA500-01> set system setting
> ctd ctd
> logging logging
> mp-memory-monitor Set monitoring of management memory
> packet packet
> packet-descriptor-monitor Set monitoring of packet descriptors
> pow pow
> shared-policy Shared policy management via Panorama
> ssl-decrypt ssl-decrypt
> template Template management via Panorama
> url-database URL database
> url-filtering-feature change URL filtering feature settings
> util util
> wildfire wildfire settings
> zip zip

 

 

Highlighted
L7 Applicator

sorry... busy day...

 

also ensure bind account in ldap profile is at least a member of server operators group in AD.

Highlighted
L4 Transporter

Well if I set the authentication profile to "all users" it works just fine. 

 

Enter password :

Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "domain.lan\steven.williams.da" is in group "all"

Authentication to LDAP server at 10.100.21.210 for user "steven.williams.da"
Egress: 10.100.20.20
Type of authentication: GSSAPI
Starting LDAPS connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=Steven Williams.da,OU=Users,OU=NoPoliciesApplied,OU=Users,OU=domain,DC=domain,DC=lan
User expires in days: never

Authentication succeeded for user "steven.williams.da"

admin@PA500-01>

 

So the Bind account is working, its just not working for a specific user group. 

 

admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

short name: domain\paloaltoadmins

source type: ldap
source: Domain_Users_and_Groups

[1 ] domain\steven.williams.da

admin@PA500-01>

 

sees the user but can never auth with it. And yes I have created a user account in the local admins to match this. 

Highlighted
L7 Applicator

Could you post auth profile and advaced.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!