Working on an HA Pair of PA-820 firewalls and just finished configuring auth for management interfaces. Went to test, and found that the firewall said auth succeeds, but the SSH connection immediately drops.
Anyone seen this before? Possible bug?
I also noted the following:
Due to a SAML authentication need, we have the default username set to UPN so that group memberships are seen accurately. When I specify the Username modifier for the RADIUS profile to be %USERINPUT%@%USERDOMAIN% the allow list check begins failing for the auth profile. Wouldn't it stand to reason the Username modifier should be applied before the group check is performed? Wouldn't it also make sense to honor the alternate username defined in the group mapping settings?
I can get the SSH connection to work by setting the auth profile to allow all, and updating the Username modifier as per the above. This makes me think it doesn't like the format of %USERNAME%@%DOMAIN%@%FW-ADDRESS%. I know SSH can do this format because I've used it in other implementations. The question becomes, how to get the group mappings for SAML and RADIUS to both play nicely on the same domain without querying the groups twice..... for now I have 2 group mapping settings defined, one for SAML and one for RADIUS with the different groups in each.
Opened a ticket and will report back if I find anything else out.
I've got a config that is where I want it to be, and works, but seems to indicate there are 2 (possibly related) bugs. Here is the config in a nutshell:
This setup allows me to leave the SAML config alone and login successfully to both SSH and WEBUI.
Potential Bugs: When primary username is set to UserPrincipalName in Group Mappings
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!