Captive Portal LDAP Authentication redundancy

Reply
Highlighted
L1 Bithead

Captive Portal LDAP Authentication redundancy

Hello.

 

I have a Captive Portal that uses next Authentication Profile:

  • CP_Auth

Where:

Authentication Sequence:

  • CP_Auth - Auth_Mode_1, Auth_Mode_2

Authentication Profile:

  • Auth_Mode_1 - LDAP_1
  • Auth_Mode_2 - LDAP_2

LDAP Server Profile:

  • LDAP_1: 10.10.1.101, 10.10.1.102
  • LDAP_2: 10.10.2.103, 10.10.2.104

 

Base on our monitor logs, we noticed that all our authentications are using LDAP Server 10.10.1.101.

 

A few days ago we detected that server 10.10.1.101 had an issue and we decided to power off the machine.

 

After that, we were still seeing PA trying to reach this server and not trying to use the second LDAP server (10.10.1.102).

  1. Why was this happending? Shouldn't the firewall have to change to 10.10.1.102 as soon it detects timeout connections?
  2. Is there any way to configure redundancy in case of issue?

 

Kr.


Accepted Solutions
Highlighted
L1 Bithead

Actually, you are wrong.

 

I recommend you to check this:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK

 

Thanks anyway.

View solution in original post


All Replies
Highlighted
L4 Transporter

Create 4 separate LDAP Server Profiles.

Assign them to 4 separate Authentication Profiles.

List all 4 in the Authentication Sequence.

 

The LDAP Server Profiles don't fail-through to the next one.  It tries the first one, and only if it gets a specific response from it will it try the second one.

 

The Authentication Sequence is where you list all the servers you want it to try, and the order to try them in.  The first one to respond with "allowed" ends the sequence.  If none of them return an "allowed" response, then the authentication fails.

Highlighted
L1 Bithead

Many thanks for your response.

 

I don't understand... base on this document

 

"Configure at least two LDAP servers to provide redundancy"

 

What kind of redundancy are they referring in the previous document?

What is the condition that triggers the event of using the secondary LDAP?

Is timeout event not enough to triggers that?

 

Kr.

Highlighted
L4 Transporter

The way it was explained to us in the 8.1 training course was along the lines of "the first server in the list to respond after boot is the only one it will use" or something along those lines.  The instructor actually questioned why they allow multiple servers to be listed in a single Server Profile when it doesn't actually work the way you expect, but was never able to get a straight answer about it.

 

If you actually want it to failover to another LDAP server, then you need to use a single server per LDAP Server Profile, and list all of those in an Authentication Sequence.

Highlighted
L1 Bithead

Actually, you are wrong.

 

I recommend you to check this:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCAK

 

Thanks anyway.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!