I'm trying to configure SSL-VPN with Active Directory authentication.I'm running PANOS 4.0.4, and SSL-Client 1.3.0 and 1.3.1.
I've configured the following:
1. An Server Profile with type Active Directoy
2. An Authentication Profile with LDAP authentication, and using the profile I've created at step 1. Also add a group and some users to the Allow List.
3. At User Identification I have enabled the LDAP server, sing the profile I've created at step 1.
PaloAlto can connect the LDAP server. I can see the groups and users. The CLI command show user ldap-server server all shows that this connection is as supposed to be ...
I have also created the tunnel SSL-VPN, and it is working OK if I use local users. When I change this configuration to use the profile with Active Directory users, I can not connect any of the users that are on the Allow List. Allways have the same error: Authentication failed: Invalid username or password.
I use DOMAIN\USER as user at the name field of NetConnect.
Can anyone help me with this problem?
Would you check the attached LDAP config technote to see if you have configure the setting correctly?
Actually I will recommend you to use Kerboros instead of LDAP. If you are using LDAP for SSLVPN and AD for internal network auth, you will have two kinds of user groups- AD group and LDAP group, and so for the same user group you may need to have two groups in the setting. But if you are using Kerboros, you only need to manage one AD user group. You can try it.
eDirectory and LDAP authentication in PANOS 3 1.pdf - This was the document I have followed to configure LDAP Authentication.
I have opened a case through our Palo Alto dealer, so I'm waiting for an answer from Palo Alto. I have configured alot of other AD/LDAP integrations with other Firewalls (non PaloAlto) and I never had so much trouble integrating it ...
Thanks for your help,
The first thing I have done, was to check if the AD tree plus user and password to access the AD Server where correct. You can see that at the Dashboard on the GUI with the message:
"ldap cfg [name of the ad server] connected xxx.xxx.xxx.xxx:389, initiated by: zzz.zzz.zzz.zzz"
The above message means that Palo Alto FW can connect to the AD server with the right credencials.
Than it camed the real problem, which I find out running the folowing command:
admin@PA-500> telnet port 389 host xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of the AD server.
Can you post the result?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!