03-20-2020 02:39 PM
Hi.
I have a strange issue with LDAP groups in our PA-5220 setup.
Our setup is two HS-clusters with each containing two PA-5220. All of the devices are fully managed using Panorama. All of the firewalls are running 9.0.5 and Panorama is also of version 9.0.5.
The configuration looks like this, I have configured a LDAP server object with all of our AD domain controllers, and set the "Base DN" to be the root of the domain. I have created a "Group mapping" containing a group for testing. I have created a "LDAP Authentication Profile" targeting the LDAP server configured earlier.
The problem is that the LDAP authentication only works if I have the "Allow list" set to "All". If I specify the AD group either using the NetBIOS name/short name or the full DN name, authentication will fail.
If I from the console list, the users in the group using "show user group name" all expected users are listed. If I test the Authentication Profile using the command "test authentication authentication-profile" it works when the allow list is set to All, but not if I a LDAP group is specified. The test fails based on "Do allow list check before sending out authentication request".
I have checked all of the KB I have been able to find and made sure that I for instance have all the LDAP paths in lower cases. I have compered it with another device with a working configuration, but at another company, but except for the paths and server names, everything is more or less the same.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClizCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloqCAC
What could be causing this issue? What to check next?
Best regards,
Johan Christensson
03-23-2020 05:24 AM
is the dropdown in the authentication profile actually returning the group you want to use or do you need to enter it manually ? (if b, your ldap profile is not working)
also pay VERY close attention to how your users are identified: in the group mapping are your users UPN or sAM ? (user@domain or domain\user) and if you leave the auth profile to all and the user is logged in, how is he/she identified, same as group mapping or different ?
if different, you need to fix the user-id group mapping so it maps users in the SAME format as the auth profile (you can force it to upn or sam)
03-24-2020 04:06 PM
@reaper, thanks for your reply.
Regarding the drop-down of LDAP groups, that depends if I try to configure this using Panorama or directly on the firewall. If using Panorama the drop-down doesn’t work, but if I go directly to the firewall it works.
In any case, your suggestion to pay close attention to how the users are identified. If I look in the monitor of users that are connected while the "Allow list" is set to "All", they are identified as “domain\username”. If I try my test LDAP Authentication profile and enter my name as domain/username the authentication works, even if I change "All" to a LDAP Group.
But this kind of makes me wonder about the "Username modifier". If I have entered the correct "User domain" and I set the "Username modifier" to "%USERDOMAIN%\%USERINPUT%", shouldn’t this mean that if I try with just username, the domain name would automatically be added transform it into “domain\username”? This does not seem to be happening.
If a on the LDAP Authentication profile that is actually being used for the GP configuration change the “Username modifier” change it from “%USERINPUT%" to "%USERDOMAIN%\%USERINPUT%" I cannot logon to the GP Portal any more. Doesn’t make any difference if I enter it as “domain\username” or “username”. If I change it back to being “%USERINPUT%” it works again if I enter “username” but not “domain\username”.
I fail to see to red thread in this.
05-05-2020 03:36 PM
This issue have been put to the side for a while, but I decided to look into it again.
I can get this to work, filtering users based on group membership if the configuration is applied on the local cluster. But when the same configuration is applied though Panorama I cannot get it to work. And I have tested all variations I can think of, but the pattern is the same. A configuration that works on the local cluster will not work when applied trough Panorama.
The good news is that the "user filtering" on at least policy still seems works, even if the rule is configured though Panorama.
But my question here is: Is this "by design" or is this a bug?
09-03-2020 09:07 AM
hi,
I have the same problem.
Tryed to get functionnal global protect with ldap auth (ad) by filtering with "advanced/allow list" in "device/authentication profiles"
Works fine if set-up localy on my devices but not when pushed via panorama.
i lost one day to do many tests to try to do it functionnal but nothing and i don't want set it up locally.
IS someone did the trick ?
panorama and panos on 9.4
08-11-2021 01:56 AM
Hi
Do you find any solution on this issue?
br
05-13-2022 03:38 AM
Hi,
Have you checked your User-ID master device for your template stack?
You can do this by going to Panorama > Templates > select template stack and then select the active firewall as the master.
Commit the config to Panorama
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
