Authentication seems to be the most difficult task....

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication seems to be the most difficult task....

L4 Transporter

No matter how many articles I read or follow I can never get the authentication to work for LDAP. I create the LDAP server profile, create the Auth Profile, then the Auth Seq, add the user account to admins and assign the profile to that user and it never works. I also get this error when "testing":

 

admin@PA500-01> test authentication authentication-profile Palo_Alto_Admins username Steven.Williams.da password
Enter password :

 

Allow list check error:
Target vsys is not specified, user "Steven.Williams.da" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Steven.Williams.da is not allowed with authentication profile Palo_Alto_Admins

admin@PA500-01>

!

!

!

dmin@TN-19023-PA500-01> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): Network_Administrators
Bind DN : ldap.read@domain.lan
Base : DC=domain,DC=lan
Group Filter: (None)
User Filter: (None)
Servers : configured 4 servers
10.100.6.205(636)
Last Action Time: 19 secs ago(took 0 secs)
Next Action Time: In 41 secs
10.100.6.210(636)
10.100.21.210(636)
10.110.6.210(636)
Number of Groups: 1
cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan

admin@PA500-01>

!

!

!

AD group.PNGAuth_Profile.PNGseq.PNG

 

 

51 REPLIES 51

according to cli output the auth is working for ldap.

 

so have we solved the first part of the problem, recognising users and groups for auth profiles.

 

if so then the username must match exactly on local database as these are case sensitive.

In what world are usernames case sensitive!!!  Well it works now! Man, 2 weeks of my life gone! Totally going to have to document this overly complicated process...

 

Thanks for the time and patience! 

the world of rebadged junipers, such a world that you cannot have spaces in names either.

 

i think you got stuck in a bit of a loop. just remember to use the netbios name of your domain and not a.b.c.com

 

glad you got it sorted.

 

laters...

Whoa, wait...so any security groups in AD that have spaces are going to give me issues??

no, only if you need to match them to local palo accounts.

 

local palo accounts cannot have spaces.

 

i assume you only need this local account for web gui because for this you need to match a local account.

 

local accounts are not required for policies etc or globalprotect authentication etc...

 

if done then best mark this as resolved.

Ok now I that I figured out local auth for wed GUI, I can't get it to work the same for Panorama. So what steps are different with that platform? I can only choose the "All" for the auth profile>advanced tab. I am using same LDAP server profile. 

Ok i have not used this but for panorama its slightly different as it has no group mappings.

 

under panorama:device groups. You need to make one of the devices the master. And select “store users and groups”

 

this should cause pan to collect group info from master.

 

i dont actually use this so keep me informed.

  • 15051 Views
  • 51 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!