Cannot log into firewall if authentication profile specifies an AD group instead of AD username

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cannot log into firewall if authentication profile specifies an AD group instead of AD username

L0 Member

So last Thursday we upgraded our PA-5220s from 9.1.10 to 10.1.5-h1 and everything went incredibly well - absolutely no issues during the upgrade. About 15 hours after the upgrade was complete, we suddenly could not log onto the firewalls with our LDAP credentials. 

 

Typically we have an AD group specified in the Authentication profile we use for management access. If we keep that configuration, we cannot log into the firewalls. However, if we add individual AD users to the authentication profile, those users can log in with their LDAP credentials. I know the LDAP server profile is working because it is the same one used to allow Globalprotect users to authenticate, and that is working absolutely fine, and also uses AD groups. 

 

I checked User-ID group mappings and we have our domains entire tree selected, so I know the group is available for mappings. 

 

Here are some sanitized screenshots of the config: https://imgur.com/a/6tuXgHu

 

I have a case open with TAC but our engineer is in a vastly different timezone and hasn't been able to find time on their shift to assist. 

1 REPLY 1

Community Team Member

Hi @WinCo ,

 

Any information that can help you further in the authd logs or in the LDAP logs ?

I know some default authentication behaviour changed from 9.1 to 10.x about the strict-username-check which might be worth checking:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-co...

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1726 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!