SSL-VPN with Active Directory auth

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL-VPN with Active Directory auth

Not applicable

Hello,

I'm trying to configure SSL-VPN with Active Directory authentication.I'm running PANOS 4.0.4, and SSL-Client 1.3.0 and 1.3.1.

I've configured the following:

1. An Server Profile with type Active Directoy

2. An Authentication Profile with LDAP authentication, and using the profile I've created at step 1. Also add a group and some users to the Allow List.

3. At User Identification I have enabled the LDAP server, sing the profile I've created at step 1.

PaloAlto can connect the LDAP server. I can see the groups and users. The CLI command show user ldap-server server all  shows that this connection is as supposed to be ...

I have also created the tunnel SSL-VPN, and it is working OK if I use local users. When I change this configuration to use the profile with Active Directory users, I can not connect any of the users that are on the Allow List. Allways have the same error: Authentication failed: Invalid username or password.

I use DOMAIN\USER as user at the name field of NetConnect.

Can anyone help me with this problem?

Best regards,

Nuno Carrilho

9 REPLIES 9

L4 Transporter

Hi,

You should not need to put the domain in the login name. You can also try to use Kerberos for SSLVPN.

Hi, jleung,

I've also tried without the DOMAIN at the beggining. I always have the same error. It just does not work ...

Thanks,

Nuno Carrilho

Hi,

Would you check the attached LDAP config technote to see if you have configure the setting correctly?

Actually I will recommend you to use Kerboros instead of LDAP. If you are using LDAP for SSLVPN and AD for internal network auth, you will have two kinds of user groups- AD group and LDAP group, and so for the same user group you may need to have two groups in the setting. But if you are using Kerboros, you only need to manage one AD user group. You can try it.

Hi jleung,

eDirectory and LDAP authentication in PANOS 3 1.pdf - This was the document I have followed to configure LDAP Authentication.

I have opened a case through our Palo Alto dealer, so I'm waiting for an answer from Palo Alto. I have configured alot of other AD/LDAP integrations with other Firewalls (non PaloAlto) and I never had so much trouble integrating it ...

Thanks for your help,

Nuno Carrilho

Hi jleung,

After long hours trying to understand this issue, finaly I found the solution. It is already working with AD.

Thanks for your help,

NC

Hi,

Great to hear that!!!

Not applicable

Hi convex,

We are have the same problem, could you help us with the solution?

Best regards,

How are users logging in? Are they entering 'Domain\User' when they log in? Can you provide a snippet of the authd logs for the failed login attempts?

Regards,

Renato

Helll OCAMPOS,

The first thing I have done, was to check if the AD tree plus user and password to access the AD Server where correct. You can see that at the Dashboard on the GUI with the message:

"ldap cfg [name of the ad server] connected xxx.xxx.xxx.xxx:389, initiated by: zzz.zzz.zzz.zzz"

The above message means that Palo Alto FW can connect to the AD server with the right credencials.

Than it camed the real problem, which I find out running the folowing command:

admin@PA-500> telnet port 389 host xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of the AD server.

Can you post the result?

Best regards,

Nuno Carrilho

  • 7823 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!