PAN OS 5.0 and AD authentication problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN OS 5.0 and AD authentication problem

Not applicable

Hello

I have a little problem with my PA-5020. After upgrading OS to a 5.0 version my user authentication to log on as an administrator from ldap and kerberos doesn`t work. I had user mapped to an allowed list by AD group:

cn=administratorzy paloalto,ou=urzĄdzenia,ou=grupy zasobÓw,dc=my,dc=domain,dc=name,

it was working fine with os 4.X  but after updating to a 5.0 i got errors:

User 'my.domain.name\myuser' failed authentication.  Reason: User is not in allowlist From: x.x.x.x

After adding user directly ("my.domain.name\myuser") to allow list it works perfectly.

At first i thought it was problem with my OU names containing ó,ą which are polish letters, but i moved that group to a different OU without theme and it still doesn`t work.

It looks like PA doesn`t see members of my groups.

Weird thing is that I also have policy based on user belonging to a different groups and that mapping works fine.

1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

I've had exactly the same problem - I worked through it with Palo support and we discovered we had to put the netbios domain name back in the LDAP query (the one we had to remove in 4.1.8) and then the group name had to be in the format domain\groupname rather than the full LDAP path. I also had spaces in the OU name for the account I was doing the LDAP lookup with and found we had to move this to a OU without a space in.

View solution in original post

25 REPLIES 25

L1 Bithead

I've had exactly the same problem - I worked through it with Palo support and we discovered we had to put the netbios domain name back in the LDAP query (the one we had to remove in 4.1.8) and then the group name had to be in the format domain\groupname rather than the full LDAP path. I also had spaces in the OU name for the account I was doing the LDAP lookup with and found we had to move this to a OU without a space in.

Thank You it worked but its pretty annoying that i have to change my OU to let PA work properly i hope they will fix it.

L3 Networker

Making OUs with spaces is just asking for trouble 😉

Few CLI commands for debuging user/group mapping:

debug user-id reset group-mapping all

show user ip-user-mapping ip <IP address>

show user user-IDs match-user <user name>

show user group list

show user group name <group name>

General rule is: use NetBIOS style user/group names.

Run into problems myself when using FQDN (groups were retrieved in FQDN-style but not matched to users which were mapped to group in NetBIOS-style).

Hi Albert

can you post a picture of your LDAP config from your firewall. I've having some logon issues with pre-logon and I think it might be related.

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!