Invalid username/password with LDAP for Captive Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Invalid username/password with LDAP for Captive Portal

L1 Bithead

Running a PA-500 on software version 5.0.2

I was wondering if anyone could point me in the right direction, I'm trying to get a captive portal working that using LDAP groups to provide access through the policy.

The LDAP servers are configured ok, as I can browse the OUs and add the necessary CNs, and if I run the show user group name "cn=groupname,dc=domain,dc=local" if works, meaning that bind username and LDAP setup must be fine. The captive portal works fine if I use the local db.

The LDAP auth profile is setup:

Name : name_with_no_spaces

Allow List : all

Authentication : LDAP

Server Profile : LDAPAccounts

Login Attribute : sAMAccountName

Password Expiry Warning : 7

I've had a look through and I've verified that the bind account is fine, as I've changed the password and can see the Group Mapping refresh failing so reverted it back, the LDAP servers are reachable (otherwise I wouldn't be able to browse the OUs in the group mapping), and the user does exist as it's my account which I use day to day.

As per Captive Portal with LDAP I tried recreating it all again from scratch and still no joy.

The authd.log shows (username, domain and IP changed to generic)

Mar 26 13:00:54 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: user1

Mar 26 13:00:54 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request <'vsys1','DomainAuthProfile','user1'>

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1

Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_0,username domain\user1 failed - trying other hosts

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1

Mar 26 13:00:54 pan_authd_authenticate_service(pan_authd.c:665): authentication failed (6)

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1669): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:core:auth:profile_1,username domain\user1 failed - trying other hosts

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_2

Mar 26 13:00:54 pan_authd_common_authenticate(pan_authd.c:1641): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:core:auth:profile_3

Mar 26 13:00:54 authentication failed for user <vsys1,DomainAuthProfile,domain\user1>

Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: domain\user1 authresult not auth'ed

Mar 26 13:00:54 pan_authd_process_authresult(pan_authd.c:1409): Alarm generation set to: False.

Mar 26 13:00:54 User 'domain\user1' failed authentication.  Reason: Invalid username/password From: ::ffff:192.168.1.10.

Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Mar 26 13:00:54 pan_authd_generate_system_log(pan_authd.c:902): CC Enabled=False

Mar 26 13:00:54 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

If anyone has any ideas of what else I could try, please let me know.

2 REPLIES 2

L6 Presenter

Be sure you write Netbios name of AD at LDAPAccounts configuration (domain tab)

Yes, I'd completed this, as per one of the other articles (didn't read the small print when I was originally setting it up).

However, it's now working, removing and putting the configuration must have got me most of the way there, but I just rechecked the LDAP configuration as you outlined to check and noticed that SSL was ticked, which is something I must have missed during the re-inputting (previously unticked, and running on port 389, and not 636 for SSL).

I unchecked this and it's now working. Not sure if it was related, but I originally setup the auth profile with spaces in the names until I read another article about PanOS not supporting that (but allowing you to put it anyway), and changed the profile name to without spaces. As already mentioned, maybe removing it all and starting from scratch is the answer.

Thanks for your input

  • 2680 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!