Unable to logon to the firewalls using the AD account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to logon to the firewalls using the AD account

L4 Transporter

Hello,

 

I have setup LDAP authentication for login purposes, the server profile has been created along with the authentication profile, user group mapping (which searches for an AD group) and the administrator which uses the authentication profile.

 

However I am unable to logon to the firewalls using the AD account, when I check the system logs for the firewall I get the following message "Authentication profile not found for the user".

 

I did an authentication test using the command "test authentication authentication-profile <profile> username <username> password" and it came back that the user was authenticated successfully, I can also see that the firewalls are correctly collecting the members of the AD group.

 

I managed to get the LDAP authentication working, but not in the way I was hoping it would work. I can authenticate a user by making an administrator account for each individual AD user that I want to be able to login.

 

I was hoping there was a way to have it setup where an AD group can be used and members of that group can login to panorama without having to create individual administrator accounts for each. Not sure if that’s possible or not with Pan-OS.

 

 

Thanks in advance!

1 accepted solution

Accepted Solutions

You can have an auth system where you don't need to continue adding admins to the firewall directly, but you have to use RADIUS for it.

 

The mechanism uses Vendor Specific Attributes (VSAs) that the firewall sees and assigns a role. Here's an article that shows the details for Panorama for Windows 2003, 2008, and Cisco ACS 4.0:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK

 

Another for just firewalls, and specific to Windows 2008:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@FarzanaMustafa ,

That's actually how it's suppose to work. The PAN-OS won't create the administrator account by itself, the authentication profile is simply used the authenticate administrator accounts that have already been created. 

@BPry 

 

Thanks for the response.

 

So what do I need to do in the FW so that I don't get the message "Authentication profile not found for the user"?

@FarzanaMustafa ,

Create an administrator account for the user you are wishing to add to the firewall, when creating the entry ensure that the authentication profile for the account has your LDAP profile specified. If that's done you shouldn't get any errors in the log files. 

You can have an auth system where you don't need to continue adding admins to the firewall directly, but you have to use RADIUS for it.

 

The mechanism uses Vendor Specific Attributes (VSAs) that the firewall sees and assigns a role. Here's an article that shows the details for Panorama for Windows 2003, 2008, and Cisco ACS 4.0:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK

 

Another for just firewalls, and specific to Windows 2008:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0

  • 1 accepted solution
  • 8174 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!