Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Panorama 4.1.8 LDAP Failure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama 4.1.8 LDAP Failure

Not applicable

Having upgraded our Panorama from 4.1.7 to 4.1.8 - we can no longer use the LDAP user authentication.

The user constantly gets "invalid username or password" (same message on the Panorama) - yet this worked without any problems with 4.1.7

On Panorama - one can see that in the LDAP profile - the Base option is never getting populated (dropdown option is only "none" rather than domain name).

Is this a new "feature" ?

Br

JørgeDA

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi

Please try removing the "domain" entry in the ldap/kerberos profile, this can cause issues with the actual autentication

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

22 REPLIES 22

Not applicable

I am having the exact same issue on a PA-2050 and on panorama - I am downgrading for the time being...

Hello,

We are having the same/similar issue on a PA-2050 and on Panorama.

The reason why I write similar is because I noticed the problem after not being able to log into the PA at all after upgrading after some time.

When I looked at the cpu usage on the PA (show system resources follow) it showed that the authd is using 100% cpu and this "blocks" all other attempts to authenticate on the PA (localusers, radius, ldap etc..).

I still had problems after downgrading to version 4.1.7, but then I noticed a error message in the systemlog regarding ldap not being able to connect to the ldap server on SSL..

I disabled SSL and changed the ldap port to 389 and everything seems to be working OK.

I have opened up a case on support (#00096705) and the issue has been escalated to TAC.

Jo Christian

/Jo Christian

just more fyi - I downgraded my pa-2050 and ldap auth (for admin login) started working again - leaving my panorama at 4.1.8 for now in hopes of a fix coming soon Smiley Happy

This is specifically LDAP authentication into the administrative website of the Palo Alto *only*, correct?

I am having other issues in 4.1.7 that I really need resolved and are known fixes in 4.1.8.    I use LDAP for user based rules, however my admin users are all locally defined to the PAs.   

Thanks.

@ Edwin,

I would expect this to be a general LDAP issue, because I'm not able to have the LDAP server profile to see the AD correctly.

Br

Joergen

Hi guys, I was able to reproduce the same behavior my lab testing. The LDAP server profile is now (in 4.1.8)  not able to see the server correctly. The LDAP server is auto populating the base server info in the earlier version but not in 4.1.8. This looks buggy. Please open a ticket with support.

Thanks,

Sandeep T

same problem with Kerberos :smileyminus:

pretty sure kerberos had an issue all along though - i was advised by TAC to use ldap/ad instead of kerb some time ago, and that fixed the issues i had then - these ldap issues now I only noticed in admin-auth, I didnt test on ssl-vpn auth before downgrading, but I dont use ldap in rules, I use user/groups but that is provided by the DC agents i believe, I dont think that was affected but I didnt test it all through

Cyber Elite
Cyber Elite

Hi

Please try removing the "domain" entry in the ldap/kerberos profile, this can cause issues with the actual autentication

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Tom,

Confirming that after removing the domain entry I was able to log on with my domain account.

The bind section however - will still not populate. It has to be there thou for the authentication to work.

So step forward - but not something I will try on my firewalls Smiley Happy

Br

Jørgen

Yes, it works without "domain" entry Smiley Happy

On prior Version it works also without this entry. So where is it used for?

Thx
Jörg

Confirmed on PA5020 that removing the "doman" entry in Kerberos resolved login issue on 4.1.8.

Not applicable

Confirmed here as well on PA2050.

Not applicable

Ive had to flip the "domain" entry setting back and forth to get LDAP to work correctly.

I would remove it, and it would work for a while....then I would have to add it back and then remove it to get it to work again.

Tech support has now suggested to me that I go back to version  4.1.7-h2

  • 1 accepted solution
  • 10005 Views
  • 22 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!