- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-26-2013 06:12 AM
Running a PA-500 on software version 5.0.2
I was wondering if anyone could point me in the right direction, I'm trying to get a captive portal working that using LDAP groups to provide access through the policy.
The LDAP servers are configured ok, as I can browse the OUs and add the necessary CNs, and if I run the show user group name "cn=groupname,dc=domain,dc=local" if works, meaning that bind username and LDAP setup must be fine. The captive portal works fine if I use the local db.
The LDAP auth profile is setup:
Name : name_with_no_spaces
Allow List : all
Authentication : LDAP
Server Profile : LDAPAccounts
Login Attribute : sAMAccountName
Password Expiry Warning : 7
I've had a look through and I've verified that the bind account is fine, as I've changed the password and can see the Group Mapping refresh failing so reverted it back, the LDAP servers are reachable (otherwise I wouldn't be able to browse the OUs in the group mapping), and the user does exist as it's my account which I use day to day.
As per Captive Portal with LDAP I tried recreating it all again from scratch and still no joy.
The authd.log shows (username, domain and IP changed to generic)
Mar 26 13:00:54 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: user1
Mar 26 13:00:54 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request <'vsys1','DomainAuthProfile','user1'>
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1
Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1 failed - trying other hosts
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1
Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1 failed - trying other hosts
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_2
Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_3
Mar 26 13:00:54 authentication failed for user <vsys1,DomainAuthProfile,domain\user1>
Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: domain\user1 authresult not auth'ed
Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1409): Alarm generation set to: False.
Mar 26 13:00:54 User 'domain\user1' failed authentication. Reason: Invalid username/password From: ::ffff:192.168.1.10.
Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 26 13:00:54 pan_authd_generate_system_log(pan_authd.c:902): CC Enabled=False
Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
If anyone has any ideas of what else I could try, please let me know.
03-26-2013 06:21 AM
Be sure you write Netbios name of AD at LDAPAccounts configuration (domain tab)
03-26-2013 06:27 AM
Yes, I'd completed this, as per one of the other articles (didn't read the small print when I was originally setting it up).
However, it's now working, removing and putting the configuration must have got me most of the way there, but I just rechecked the LDAP configuration as you outlined to check and noticed that SSL was ticked, which is something I must have missed during the re-inputting (previously unticked, and running on port 389, and not 636 for SSL).
I unchecked this and it's now working. Not sure if it was related, but I originally setup the auth profile with spaces in the names until I read another article about PanOS not supporting that (but allowing you to put it anyway), and changed the profile name to without spaces. As already mentioned, maybe removing it all and starting from scratch is the answer.
Thanks for your input
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!