LDAP Authentication Profile allow list 'all'

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
MikeSangray2019
L3 Networker

LDAP Authentication Profile allow list 'all'

When configuring an LDAP Authentication Profile what does the 'all' refer to in the allow list? 

MickBall
L7 Applicator

All is a reference to any user.

if you only wanted members of a certain group or individual users  to use this authentication profile then you would add them here.

MikeSangray2019
L3 Networker

Thanks. And to clarify if a user isn't defined as an Administrator or as a Captive Portal or GlobalProtect user either explicitly or as a group member, then authentication will fail with something like an "Authentication profile not found for the user" message in the system log? Simply selecting 'all' in the allow list does not grant everyone the ability to login to the firewall, correct?

MickBall
L7 Applicator

Yes  I think so...

 

I only say "think so" as i have never used any other option than "ALL". so i dont know what the system log would say...  but i'm sure you have already seen this...

 

To allow all only means that all users can attempt to authenticate against this profile... 

 

 

MickBall
L7 Applicator

ok just tested the auth with a test profile without me in the allow list.

 

system log   ...

 

failed authentication for user "Me" Reason: user is not in allow list. auth profile Radius Test.

 

Boom! 

 

MikeSangray2019
L3 Networker

I did a similar test and got a similar result. 

 

AFAIK setting the allow list to 'all' and relying on authentication profiles is the cleanest way to go about provisioning permissions, but if I'm mistaken please let me know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!