Cannot log into firewall if authentication profile specifies an AD group instead of AD username

cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot log into firewall if authentication profile specifies an AD group instead of AD username

L0 Member

So last Thursday we upgraded our PA-5220s from 9.1.10 to 10.1.5-h1 and everything went incredibly well - absolutely no issues during the upgrade. About 15 hours after the upgrade was complete, we suddenly could not log onto the firewalls with our LDAP credentials. 

 

Typically we have an AD group specified in the Authentication profile we use for management access. If we keep that configuration, we cannot log into the firewalls. However, if we add individual AD users to the authentication profile, those users can log in with their LDAP credentials. I know the LDAP server profile is working because it is the same one used to allow Globalprotect users to authenticate, and that is working absolutely fine, and also uses AD groups. 

 

I checked User-ID group mappings and we have our domains entire tree selected, so I know the group is available for mappings. 

 

Here are some sanitized screenshots of the config: https://imgur.com/a/6tuXgHu

 

I have a case open with TAC but our engineer is in a vastly different timezone and hasn't been able to find time on their shift to assist. 

1 REPLY 1

Community Team Member

Hi @WinCo ,

 

Any information that can help you further in the authd logs or in the LDAP logs ?

I know some default authentication behaviour changed from 9.1 to 10.x about the strict-username-check which might be worth checking:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgradedowngrade-co...

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!