LDAP (Active directory) Authentication for administrators

Showing results for 
Search instead for 
Did you mean: 

LDAP (Active directory) Authentication for administrators

L4 Transporter


Im trying to configure my PA to validate with my AD to can manage it. I have create a group in my Active Directory called (com_cos), this group has the user to manage the PA. I have add this group in Group mapping and Authentication profile (Allowlist) but it seems like the PA has any problem with the group in AD.

This is output error: User 'csg.es\as' failed authentication. Reason: User is not in allowlist From:

I attach the config

Best regards,



L5 Sessionator

Can you try using the netbios name i.e just cgs under the domain filed in your LDAP server profile.

I tried it and it didnt work :smileysad: .....

try to refresh group mapping

clear all user cache

1- clear user-cache   and  clear user-cache-mp

2- debug user-id refresh group-mapping all

try again.

i jus tried and not working :smileysad:

this is the error output

User 'CSG\jeca' failed authentication. Reason: User is not in allowlist From:

do i need to configure something in AD in order to PA can read the groups????

write a security rule for that group

after commit look for the user information from cli if you see the group or not

show user ip-user-mapping ip

L5 Sessionator

With LDAP,you would have to define each user in  the AD group ,on the firewall ,as an Administrator.

For  AD group-based Authentication ,you can use Radius Refer: Radius Vendor Specific Attributes (VSA)

Its not working :smileysad: the user is assgined to the correct group.......but i dont know why its not allowed in the list

User 'CSG\jeca' failed authentication. Reason: User is not in allowlist From:

IP address: (vsys1)

User:        csg\jeca

From:        UIA

Idle Timeout: 2933s

Max. TTL:    2933s

Groups that the user belongs to (used in policy)

Group(s):    cn=com_cos,cn=users,dc=csg,dc=es

Change the Allow-list to all as  AD Group_based Auth for FW Admin  is not possible using LDAP.

You can authenticate individual AD users.

So to authenticate user csg\jeca

Create a local Admin under Device>Administrators called jeca and assign it  with Auth Profile using Server profile  LDAP

Make sure you change the the Allow-list to all  in the Auth Profile

Yes i had that configuration before, but its quite annoying to create a user in PA each time that user go in the company. it would be easier that PA could auth with AD groups in this way i only would have to create the user in ldap and the PA use the LDAP group............

Ok ill revert the conf........thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!