When specifying the AD group in the Authentication profile, admin login is not working

cancel
Showing results for 
Search instead for 
Did you mean: 

When specifying the AD group in the Authentication profile, admin login is not working

L1 Bithead

 When specifying the AD group in the allowlist of LDAP Authentication profile, the admin login is failing. It is showing some errors like user not in allow list and target vsys is not mentioned etc. 

It is working only when using 'all' in the allow list.

5 REPLIES 5

L3 Networker

Have you followed the article below as maybe your user is not in the correct Microsoft AD group and this is why you have issues?

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/troubleshoot-authentication...

 

 

 

Also read this and confirm that you have settup your firewall to do group resolution/mapping:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0

 

 

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/enable-group-...

L7 Applicator

A couple of things....

you may need to use the domain info and domain modifier in the auth profile...

for example:--  admin user  is firstname.lastname     and ldap server domain is domain.com

so auth profile is set with user domain = domain.com  and username modifier is set to  "%USERINPUT%@%USERDOMAIN%"

i can then just login as firstname.lastname

 

or..  if you are using userprincipalname for auth then it will not pick up group membership if the group id is using sammaccountname as may be different..   

 

try from cli "show user group list "the full path to the group"  to see if the names and domains match.

if you are not sure of the group path then,,,   show user group name     to display known groups 

Ok. Here the thing is, 3-4 AD accounts are called in a group and we want to use the same in the allow list. I read somewhere as the Group name will be case sensitive and it should only be called in lower case in the firewall.

 

The output of show user group name '<cn=abc ....> is listing users in domain\user1.

You can check if you match group:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK

 

 

 

Also if you hace not added the domain you will need to do <domain>/<group> as if you added the domain it will be just <group>

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-authentication-...

 

 

 

 

 

 

I also recommend to learn Palo Alto for you to take the Palo Alto free digital learning palo alto edu-110 and edu-120 (free registration to Palo Alto beacon is needed https://beacon.paloaltonetworks.com/student/catalog

 

 

https://live.paloaltonetworks.com/t5/blogs/edu-110-and-edu-120-available-for-pan-os-9-0/ba-p/260257

 

 

Also CBT nuggets and INE have good palo alto trainning.

 

 

and does the username match exactly in the group output?     

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!