Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User is not in allowlist

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User is not in allowlist

L1 Bithead

Running PAN 2020 v3.1.4 using LDAP authentication with eDirectory.  I have a userid that will not authenticate via Captive portal. I am seeing a " User is not in allowlist" error in the System Log.

I have verified that the userid in quesiton is in Server group.  That Server Group is referenced by a Security policy as the source User.  I have verified using "show user ldap-server server all" that the username in question does appear in the list on the paloalto.

As an FYI this same userid authenticates fine via the ldap agent.  If I run a show user ip-user-mapping for the IP address of a system that is logged in via the agent it correctly shows the userid as being in the group called out by a security policy.

At this point, I am not seeing what is holding this up.  If that userid has logged in via the agent already on another box, would that somehow prevent that userid from logging in via captive portal on another system?

What should I be checking to troubleshoot this problem?

Thanks.

3 REPLIES 3

L4 Transporter

Hi There,

You need to edit the allow list.  These links should answer your problem:

https://live.paloaltonetworks.com/message/1779#1779

https://live.paloaltonetworks.com/message/3103#3103

Thanks

James

Not applicable

Can you try adding the user directly to the allowlist instead of using the group?  Not permanently, but just to ensure that the general mapping is working.  If that works, then it's something to do with group enumeration.

Tariq

I got the problem resolved.   This particular userid had not been added to the group referenced by the Authentication policy. Once added, it began working. 

This is a new installation and I simply forgot that the Authentication policy references an LDAP group.

  • 4323 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!