- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-27-2019 03:12 PM
Hello,
I have setup LDAP authentication for login purposes, the server profile has been created along with the authentication profile, user group mapping (which searches for an AD group) and the administrator which uses the authentication profile.
However I am unable to logon to the firewalls using the AD account, when I check the system logs for the firewall I get the following message "Authentication profile not found for the user".
I did an authentication test using the command "test authentication authentication-profile <profile> username <username> password" and it came back that the user was authenticated successfully, I can also see that the firewalls are correctly collecting the members of the AD group.
I managed to get the LDAP authentication working, but not in the way I was hoping it would work. I can authenticate a user by making an administrator account for each individual AD user that I want to be able to login.
I was hoping there was a way to have it setup where an AD group can be used and members of that group can login to panorama without having to create individual administrator accounts for each. Not sure if that’s possible or not with Pan-OS.
Thanks in advance!
02-27-2019 04:50 PM
You can have an auth system where you don't need to continue adding admins to the firewall directly, but you have to use RADIUS for it.
The mechanism uses Vendor Specific Attributes (VSAs) that the firewall sees and assigns a role. Here's an article that shows the details for Panorama for Windows 2003, 2008, and Cisco ACS 4.0:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK
Another for just firewalls, and specific to Windows 2008:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0
02-27-2019 04:40 PM
That's actually how it's suppose to work. The PAN-OS won't create the administrator account by itself, the authentication profile is simply used the authenticate administrator accounts that have already been created.
02-27-2019 04:45 PM
Thanks for the response.
So what do I need to do in the FW so that I don't get the message "Authentication profile not found for the user"?
02-27-2019 04:48 PM
Create an administrator account for the user you are wishing to add to the firewall, when creating the entry ensure that the authentication profile for the account has your LDAP profile specified. If that's done you shouldn't get any errors in the log files.
02-27-2019 04:50 PM
You can have an auth system where you don't need to continue adding admins to the firewall directly, but you have to use RADIUS for it.
The mechanism uses Vendor Specific Attributes (VSAs) that the firewall sees and assigns a role. Here's an article that shows the details for Panorama for Windows 2003, 2008, and Cisco ACS 4.0:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK
Another for just firewalls, and specific to Windows 2008:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

