LDAP Authentication 4.1.x Panorama and FW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP Authentication 4.1.x Panorama and FW

Not applicable

There is a ton of various old and somewhat newer info on LDAP related info around, but I have not been able to find any good source on step by step and how to troubleshoot - a lot of the junk seems to reference user-id stuff, which I believe is not relevant, shouldnt I be able to configure an LDAP server profile, a authentication profile, and then use this for authentication (wether admin access or ssl vpn?).

I have been unable to find any logs or info on how to test if my LDAP server profile is even working.

I had kerberos authentication working just fine, but the bugs with Kerberos and groups makes it unusable, so I have to get LDAP configured, but so far I have not been able to.

for my testing I am doing this in panorama, for the local admin logons to Panorama (because it is so much faster to commit with than a firewall):

here is what I did - which I believe should work:

created a user in the domain named  pan-admin  (for sake of troubleshooting I gave it domain admin rights)

Created LDAP Server Profile

Name: adtest

Servers: Added two DC's by IP, port 389

Domain: mydom.local

Type: Active-Directory

Base: DC=mydom,DC=local    (this pulled up by dropdown)

Bind DN: DN=pan-admin,OU=Service Accounts,DC=mydom,DC=local

Password: **

I unchecked SSL

the rest is default.

Created an Authentication Profile

Name: adAuthAdmin

Allow List:  removed all, and added a single user  like   mydom\username  and a group  mydom\groupname  by typing them in (I would think that just group should work, but for testing purposes I also added my speciifc user)

Authentication: LDAP

Server Profile: adtest

Login Attribute:       (left blank, dont really get what the hell this is)

Under Administrators I added 2 users, one for the group (mydom\groupname) and also my individual user for testing, usint the "adAuthAdmin" profile and superuser...

shouldnt that work?

I cant even find out how to test if the LDAP Server profile is even working - logs show nothing at all - when trying a login the system log just shows

     User 'mydom\username' failed authentication.  Reason: Authentication profile not found for the user From: 10.159.14.11.' )

I tried a lot of different things but I have no luck really - the DC's are 2003's - I have 2008R2's as well but figured there be less prone to issues using the old ones...

btw - user-identification working fine with the agents and all that - I dont see how that is even relevant other than that it uses it for dropdowns on the firewalls (not in panorama since it doesnt have user-id.

any help appreciate - I might open a ticket soon,...

1 accepted solution

Accepted Solutions

Hi,

Authentication profiles can be used with the following features:

- Captive Portal

- Global Protect

- Administrator login

Captive Portal and Global Protect will work by specifying the group in the allow list. Administrator login functions differently as it is required to add each individual user(unless VSA is setup https://live.paloaltonetworks.com/docs/DOC-1701).

A couple notes on your configuration.

1) In the LDAP Server Profile you have the FQDN defined. If left to the FQDN then there can be issues with the user mapping correctly to a group as there will be two separate references to the user

mydom.local\user1

mydom\user1

To prevent this problem instead of - Domain: mydom.local

Enter - Domain: mydom

2) In the Authentication Profile you would set the login attribute to sAMAccountName if using AD/LDAP.

For troubleshooting, you want to review system logs and authd.log. Other common issues can be solved by review the output of various 'show user' commands such as:

> show user group name <group name>

> show user user-IDs match-user <username>

> show user group-mapping state all

Hope this helps!

- Stefan

View solution in original post

3 REPLIES 3

Not applicable

more searching and digging and I found this post

which lead me to the device/panorama setting, where a profile has to be chosen for the box.

so this works as long as I add each individual user to the administrators list.

Shouldnt this work by just adding a group?

and I still have no good way of debugging this crap

Hi,

Authentication profiles can be used with the following features:

- Captive Portal

- Global Protect

- Administrator login

Captive Portal and Global Protect will work by specifying the group in the allow list. Administrator login functions differently as it is required to add each individual user(unless VSA is setup https://live.paloaltonetworks.com/docs/DOC-1701).

A couple notes on your configuration.

1) In the LDAP Server Profile you have the FQDN defined. If left to the FQDN then there can be issues with the user mapping correctly to a group as there will be two separate references to the user

mydom.local\user1

mydom\user1

To prevent this problem instead of - Domain: mydom.local

Enter - Domain: mydom

2) In the Authentication Profile you would set the login attribute to sAMAccountName if using AD/LDAP.

For troubleshooting, you want to review system logs and authd.log. Other common issues can be solved by review the output of various 'show user' commands such as:

> show user group name <group name>

> show user user-IDs match-user <username>

> show user group-mapping state all

Hope this helps!

- Stefan

Thank you - i have been fiddling with this all day - and discovered its not working right when doing the LDAP stuff from panorama, or at least, it works better from the firewall itself,  the FQDN versus Wintendo-netbios network name was one of the issues, I had portal working but not the gateway, removal of fqdn fixed that.

  • 1 accepted solution
  • 3943 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!