- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-28-2020 08:13 AM
Hello.
I have a Captive Portal that uses next Authentication Profile:
Where:
Authentication Sequence:
Authentication Profile:
LDAP Server Profile:
Base on our monitor logs, we noticed that all our authentications are using LDAP Server 10.10.1.101.
A few days ago we detected that server 10.10.1.101 had an issue and we decided to power off the machine.
After that, we were still seeing PA trying to reach this server and not trying to use the second LDAP server (10.10.1.102).
Kr.
02-12-2020 10:26 AM
Actually, you are wrong.
I recommend you to check this:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK
Thanks anyway.
01-28-2020 09:14 AM
Create 4 separate LDAP Server Profiles.
Assign them to 4 separate Authentication Profiles.
List all 4 in the Authentication Sequence.
The LDAP Server Profiles don't fail-through to the next one. It tries the first one, and only if it gets a specific response from it will it try the second one.
The Authentication Sequence is where you list all the servers you want it to try, and the order to try them in. The first one to respond with "allowed" ends the sequence. If none of them return an "allowed" response, then the authentication fails.
01-29-2020 08:22 AM
Many thanks for your response.
I don't understand... base on this document
"Configure at least two LDAP servers to provide redundancy"
What kind of redundancy are they referring in the previous document?
What is the condition that triggers the event of using the secondary LDAP?
Is timeout event not enough to triggers that?
Kr.
01-29-2020 08:28 AM
The way it was explained to us in the 8.1 training course was along the lines of "the first server in the list to respond after boot is the only one it will use" or something along those lines. The instructor actually questioned why they allow multiple servers to be listed in a single Server Profile when it doesn't actually work the way you expect, but was never able to get a straight answer about it.
If you actually want it to failover to another LDAP server, then you need to use a single server per LDAP Server Profile, and list all of those in an Authentication Sequence.
02-12-2020 10:26 AM
Actually, you are wrong.
I recommend you to check this:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK
Thanks anyway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!