07-06-2021 10:39 PM
When specifying the AD group in the allowlist of LDAP Authentication profile, the admin login is failing. It is showing some errors like user not in allow list and target vsys is not mentioned etc.
It is working only when using 'all' in the allow list.
07-07-2021 12:22 AM
Have you followed the article below as maybe your user is not in the correct Microsoft AD group and this is why you have issues?
Also read this and confirm that you have settup your firewall to do group resolution/mapping:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0
07-07-2021 01:50 AM
A couple of things....
you may need to use the domain info and domain modifier in the auth profile...
for example:-- admin user is firstname.lastname and ldap server domain is domain.com
so auth profile is set with user domain = domain.com and username modifier is set to "%USERINPUT%@%USERDOMAIN%"
i can then just login as firstname.lastname
or.. if you are using userprincipalname for auth then it will not pick up group membership if the group id is using sammaccountname as may be different..
try from cli "show user group list "the full path to the group" to see if the names and domains match.
if you are not sure of the group path then,,, show user group name to display known groups
07-07-2021 01:56 AM
Ok. Here the thing is, 3-4 AD accounts are called in a group and we want to use the same in the allow list. I read somewhere as the Group name will be case sensitive and it should only be called in lower case in the firewall.
The output of show user group name '<cn=abc ....> is listing users in domain\user1.
07-07-2021 02:31 AM - edited 07-07-2021 02:34 AM
You can check if you match group:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK
Also if you hace not added the domain you will need to do <domain>/<group> as if you added the domain it will be just <group>
I also recommend to learn Palo Alto for you to take the Palo Alto free digital learning palo alto edu-110 and edu-120 (free registration to Palo Alto beacon is needed https://beacon.paloaltonetworks.com/student/catalog😞
https://live.paloaltonetworks.com/t5/blogs/edu-110-and-edu-120-available-for-pan-os-9-0/ba-p/260257
Also CBT nuggets and INE have good palo alto trainning.
07-07-2021 02:45 AM
and does the username match exactly in the group output?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
