Panorama Access Domain Admins - Not functioning 7.0.3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Access Domain Admins - Not functioning 7.0.3

L4 Transporter

Currently we have been working with setting up Access Domain accounts for our server admins to have restricted RO access to traffic logs and policy rules. The configuration appears sound but all testing using either local or radius/ldap auth accounts have proven to fail. Recieving the following message each time the CORRECT password and login name are entered and clicked login. All other admin accounts using a dynamic or role-based profile work without issues.

 

login-error.jpg

Has anyone else seen this issue?

6 REPLIES 6

L7 Applicator

Check the system log in monitor.  There should be a more specific failure message there.

 

For RADIUS also check the log on your RADIUS server to confirm the request is reaching and being processed and passed.  We generally run wireshark here so we can follow the entire transaction.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks Steve but the system logs was one of the first places I looked and it displays a successful authentication from all auth types local/radius/ldap.

I agree with pulukas, if the PAN shows a successful attempt in its logs, check the other side of things, i.e. RADIUS, LDAP, etc.

If the monitor log shows success, and the login is actually denied this is probably a bug and you will need to open a support case on this.

 

For the support case a wireshark of the RADIUS transaction would be the fastest path to an ultimate solution and bug fix.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

I have had a TAC case open for the last 2 weeks and is currently status research. The issue appears to be bug related so far. LDAP and Radius are not the issue as we are having the access domain issue on local accounts and all other admin accounts (Role/Dynamic) that leverage LDAP and Radius are functioning. Once I hear back from TAC I will post an update.

 

Thanks

 

I am running Panorama 7.0.3 with Access Domains configured for local admin accounts.  It is working fine for me.  Have you tried to define a new Access Domain & admin role with a new admin login account?  Maybe some parameter/setting is corrupted.

  • 2579 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!