Authentication seems to be the most difficult task....

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L7 Applicator

Username modifier...

Highlighted
L4 Transporter

used a different BIND account. 

Highlighted
L7 Applicator

So what do you get now when you cli test authentication blah blah...?

Highlighted
L3 Networker

The information coming back from the group mapping does not match the information you have configured in your authentication profile. 

 

Your group members are being represented as domain\name, whereas  your auth profile is domain.lan\name

 

Updating the User Domain to domain in your authentication profile may fix you up.

 

 

Highlighted
L4 Transporter

Are you referring to the "username modifier" in the authentication profile?

Highlighted
L4 Transporter

Still this:

 

Allow list check error:
Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User steven.williams.da is not allowed with authentication profile Palo_Alto_Admins

!

!

admin@PA500-01>
admin@PA500-01>
admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

short name: domain\paloaltoadmins

source type: ldap
source: Domain_Users_and_Groups

[1 ] domain\steven.williams.da

admin@PA500-01> show user group list

cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
cn=domain users,cn=users,dc=domain,dc=lan

Total: 2
* : Custom Group

admin@PA500-01>

 

 

There has to be a deeper level debug or something to see whats wrong no?

 

Highlighted
L7 Applicator

ok sorry i've lost the thread here slightly...

 

in my authentication profile I have the following settings

 

user domain ( our domain name)

username modifier  (%USERINPUT%)

 

 

is this similar to yours.

Highlighted
L7 Applicator

in your previous post as below

 

admin@PA500-01> show user group name "cn=domain users,cn=users,dc=domain,dc=lan" | match steven.williams
[5510 ] domain\steven.williams
[5515 ] domain\steven.williams.da
admin@PA500-01>

 

 

whatever it is in place of "domain", stick that in the user domain box

Highlighted
L4 Transporter

Yes I have dont those combos and still didnt work. 

Highlighted
L7 Applicator

in the auth profile advanced tab,

 

select   add and start typing your name.

 

it should auto populate.

 

save this and then test cli authentication.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!