Using LDAP/AD names for firewall GUI login

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using LDAP/AD names for firewall GUI login

Not applicable

Hi

I believe I've successfully set up LDAP authentication in our Palo device. All of our groups and users are appearing when searched for using "show user ldap-server server all" and they show up in Authentication Profiles when changing the Allow List.

I have added my user account from our AD domain into the LDAP Authentication Profile as detailed in the "eDirectory and LDAP Authentication with PANOS" document, but I'm not sure how to progress in getting this to be used for authorisation when logging into the firewall itself.

If I go into create a new administrator account, the authentication profile drop-down only lists "None" - I had imagined this would let me specify a user based on LDAP but it seems not.

Am I barking up the wrong tree, or should I be able to authenticate to the admin GUI using LDAP users? If so is there a step I'm missing in enabling this?

Regards

John Bousfield

1 accepted solution

Accepted Solutions

For reference the problem was that my LDAP Server Profile and LDAP Authorisation Profiles were set to use VSYS but needed to be set to as Shared - you can't use Vsys profiles to authorise administrative users, which makes sense.

This can't be altered once a profile is made so I removed both profiles and recreated as shared (tick box near the top of the form).

I can now use LDAP to authorise users.

John

View solution in original post

8 REPLIES 8

L4 Transporter

Hi John,

For this to work - you should have your LDAP server as a choice in the drop down.

The "Name" section would be your username in the LDAP server.  You would need to make an entry like this for each administrator.  This is OK for a small number of Admins.

If you expect to have many - then please check out this document using RADIUS and VSA's:

https://live.paloaltonetworks.com/docs/DOC-1701

Thanks

James

Hi James

Thanks for your reply. That's how I imagined it should work and doing it for each user manually is fine for now.

However, when I go in to add the new administrator account I'm unable to select anything other than "None" - there is no option for my other Authorisation profiles (including a RADIUS profile already set up).

The help system indicates the same thing you have which is that I should have the list of Auth Profiles there.

Could there be some setting I've missed to enable new users to use all Auth Profiles?

Regards

John

Hi John,

Is it definitely Auth and not server profiles that you have configured?

Screen shot 2011-01-19 at 11.50.39.png

Thanks

James

Hi James

I've got both Server Profile and Authentication Profiles configured. Tried to attach an image of these but it doesn't seem to let me...

Server Profile has the LDAP servers listed and I can do looks ups to AD so those seem fine. User Idenfitication is also in place and seems to be working fine getting groups and users when I check via the command line.

The Authentication Profiles include the one for LDAP, one for LocalDB and one for RADIUS at the moment. The LDAP Auth profile uses the LDAP Server Profile above, includes my AD account and an AD group in the Allow List and has sAMAccountName as the login attribute.

None of the Auth Profiles appear in the drop-down though.

Appreciate any help.

Regards

John

Hi John,

Sorry, been out an about

I suggest you contact support - it does not sound right.  I think we'll definitely need pictures here Smiley Happy

I am sure we could get this solved

Thanks

James

Hi James

I'll raise a support issue with our support contact directly but I have also attached the images of each config page to the post so you can have a quick browse of the settings I've got in place.

Thanks for your help.

Regards

John

For reference the problem was that my LDAP Server Profile and LDAP Authorisation Profiles were set to use VSYS but needed to be set to as Shared - you can't use Vsys profiles to authorise administrative users, which makes sense.

This can't be altered once a profile is made so I removed both profiles and recreated as shared (tick box near the top of the form).

I can now use LDAP to authorise users.

John

Hi John,

Good news!!

Thanks

James

  • 1 accepted solution
  • 9829 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!