LDAP auth for the WEB UI access clarification

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
myky
L3 Networker

LDAP auth for the WEB UI access clarification

Hi All,

 

Why do we need step 3 mentioned in the KB below for the WB UI authentication with LDAP?:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK

 

LDAP.PNG

 

Why do we need to create a local user? Won't Palo be an LDAP proxy (grabbing username/password and verifying it against LDAP server database)?

 

 

 


Accepted Solutions
Mark_Brook
L1 Bithead

Its verifying Username(both places), Password, and if you configured a group in your Ldap profile it will do that as well. 

View solution in original post


All Replies
Mark_Brook
L1 Bithead

Palo Alto uses a more secure mentality for the Admin users on the firewalls. Calling out the users specificly is a lot more secure they refrenceing an AD group. Anyone with the right AD privlages could modify the AD group and give themselves superuser access to the firewalls. 

 

myky
L3 Networker

@Mark_Brook  thanks, it makes sense. So what is PA actually verifying, just AD membership group and not username/password?

Mark_Brook
L1 Bithead

Its verifying Username(both places), Password, and if you configured a group in your Ldap profile it will do that as well. 

View solution in original post

myky
L3 Networker

Cool, so the local user is another (additional) check as you mentioned earlier. Thanks. 

BrandonWright
L3 Networker

Palo Alto only has this requirment for LDAP Authentication only when managing the device.  You can use a RADIUS server with RADIUS authentication profile to allow management by AD group, and that works fine, so if you have Microsoft IAS, or other RADIUS server, that will work for allowing a group to authenticate to the firewall and/or panorama.

myky
L3 Networker

@BrandonWright  this now clear as day (but not a typical day in UK :)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!