- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-27-2010 02:01 PM
Running PAN 2020 v3.1.4 using LDAP authentication with eDirectory. I have a userid that will not authenticate via Captive portal. I am seeing a " User is not in allowlist" error in the System Log.
I have verified that the userid in quesiton is in Server group. That Server Group is referenced by a Security policy as the source User. I have verified using "show user ldap-server server all" that the username in question does appear in the list on the paloalto.
As an FYI this same userid authenticates fine via the ldap agent. If I run a show user ip-user-mapping for the IP address of a system that is logged in via the agent it correctly shows the userid as being in the group called out by a security policy.
At this point, I am not seeing what is holding this up. If that userid has logged in via the agent already on another box, would that somehow prevent that userid from logging in via captive portal on another system?
What should I be checking to troubleshoot this problem?
Thanks.
09-27-2010 02:47 PM
Hi There,
You need to edit the allow list. These links should answer your problem:
https://live.paloaltonetworks.com/message/1779#1779
https://live.paloaltonetworks.com/message/3103#3103
Thanks
James
09-28-2010 09:30 AM
Can you try adding the user directly to the allowlist instead of using the group? Not permanently, but just to ensure that the general mapping is working. If that works, then it's something to do with group enumeration.
Tariq
09-28-2010 10:46 AM
I got the problem resolved. This particular userid had not been added to the group referenced by the Authentication policy. Once added, it began working.
This is a new installation and I simply forgot that the Authentication policy references an LDAP group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!