This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LDAP authentication profile not listing in authentication settings

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP authentication profile not listing in authentication settings

Go to solution
jeromej
L1 Bithead

‎05-26-2023 01:19 AM - edited ‎05-26-2023 01:19 AM

Hi,

 

jeromej_0-1685089183840.png

I have a problem in adding LDAP authentication profile to the authentication settings in Device>Management. I have also tried creating a new authentication profile with LDAP in it. But getting the below error

"system -> authentication-profile 'LDAP_AUTH_WEBGUI' is not a valid reference
system -> authentication-profile is invalid"

Please advice if I have to do any changes somewhere.

Preview file
47 KB
0 Likes Likes
3 accepted solutions

Accepted Solutions

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎05-27-2023 05:10 AM

Hello @jeromej

 

could you please check logs from CLI: tail follow yes mp-log authd.log? This should give definitive answer what the issue is.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

View solution in original post

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to jeromej

‎05-29-2023 07:54 AM

Connection reset by peer is expected because with ssh command you  try to initiate ssh not ldap.

 

As mgmt and ldap are in same subnet then next step is to take packet capture on mgmt interface.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Go to solution
jeromej
L1 Bithead
In response to jeromej

‎05-30-2023 04:28 AM

Man I had found what I did wrong... I had not given the LDAP service route source in the Service route configuration. After giving that our box had connected with the LDAP server and everything works fine now. But earlier it was the same when the LDAP works without any such configuration. I wonder how it worked. 

Anyways, thanks for the support and assistance.

View solution in original post

0 Likes Likes
15 REPLIES 15

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎05-26-2023 05:02 AM

Hello @jeromej

 

the authentication profile under: Device > Management > Authentication Settings only supports RADIUS, TACACS+ and SAML. If you need to use LDAP to authenticate accounts accessing Firewall, you can do it from: Device > Administrators, then add account and select LDAP profile from drop down list.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-26-2023 07:17 AM

Authentication Settings droppdown supports using authentication sequences.

You can try to put LDAP profile into auth sequence (Device > Authentication Sequense) and try if choosing auth sequence instead works (I have not tested).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
jeromej
L1 Bithead
In response to PavelK

‎05-26-2023 07:42 AM - edited ‎05-26-2023 07:47 AM

Hi @PavelK 

 

Thanks for the response.

I tried that already but didn't work and thought that the issue could be with the authentication settings in the management window.

And I have configured the LDAP authentication and started using the LDAP account for logging in to the PA Webgui for the past couple weeks. There was some changes done by my colleague yesterday and when I tried login to the web console today, I started getting authentication error.

And I felt something must be something wrong with connection with the LDAP connectivity. So I tested the connectivity and got the connection error. There is no LDAP configuration issue and I double checked the same. 

jeromej_0-1685112008346.png

Is there anything that I am missing to check?

 

Thanks,

Jerome

0 Likes Likes

Go to solution
jeromej
L1 Bithead
In response to Raido_Rattameister

‎05-26-2023 07:46 AM

Hi @Raido_Rattameister 

 

Thanks for the response.

 

I have configured the authentication settings the same way that you have mentioned and was using the LDAP account for logging in to the PA Webgui for the past couple weeks. But there was some changes done by my colleague yesterday and when I tried login to the web console today, I started getting authentication error.

And I felt something must be wrong with connection with the LDAP connectivity. So I tested the connectivity and got the connection error. There is no LDAP configuration issue and I double checked the same. 

jeromej_1-1685112190814.png

 

Is there anything that I am missing to check?

 

Thanks,

Jerome

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-26-2023 07:51 AM

Monitor > System

Filter "( subtype eq auth )"

 

Any events about LDAP server there? Like auth-server-down for example.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎05-26-2023 02:41 PM

Hello @jeromej 

 

thank you for reply.

 

To drill down root cause for failure, could you please follow this KB: How to Troubleshoot LDAP Authentication? Also, make sure that Bind-dn username and password are up to date.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Go to solution
jeromej
L1 Bithead
In response to Raido_Rattameister

‎05-27-2023 12:19 AM

Hi @Raido_Rattameister 

The logs shows the "auth-server-down". But when checking the connectivity between the firewall and the server is good as they both communicate with each other. Please find below the error log.

 

Type Threat/Content Type Config Version Generate Time Virtual System Event ID Object fmt id module Severity Description
SYSTEM auth 2816 5/27/2023 11:45   auth-server-down 0 0 general critical LDAP auth server  is down !!!
0 Likes Likes

Go to solution
jeromej
L1 Bithead
In response to PavelK

‎05-27-2023 12:52 AM

Hi @PavelK 

 

I have tried the steps given in the KB and got the below result.

1.1 #show shared server-profile lda  -  Invalid syntax

1.2 The Base DN not listing automatically. It wasn't listed when I had it configured previously but the LDAP authentication worked until couple days back.

1.4 Couldn't browse the LDAP tree browser when configuring Group-Mapping.

 

The Bind-DN Username and password are up to date. Yet I am getting this connectivity issue.

Please advice.

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎05-27-2023 05:10 AM

Hello @jeromej

 

could you please check logs from CLI: tail follow yes mp-log authd.log? This should give definitive answer what the issue is.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

Go to solution
jeromej
L1 Bithead
In response to PavelK

‎05-29-2023 04:17 AM

Hi @PavelK 

jeromej_0-1685358604549.png

When checking the logs, I get the above error. It seems that there is some issue with the connectivity. 

Is there a way to check if the ldap server receives the request on the port 389 from Palo alto? Since PA has removed telnet from PANOS 5.0, I couldn't find a way to know that.

 

Thanks,

Jerome 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-29-2023 04:49 AM

Is Palo mgmt interface and ldap server in same subnet or does traffic from Palo mgmt interface traverse Palo dataplane so you could see logs?

To test tcp 3way handshake you can use command "ssh port 389 host <ldap server ip>"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
jeromej
L1 Bithead
In response to Raido_Rattameister

‎05-29-2023 05:34 AM

Yes @Raido_Rattameister , PA mgmt interface and ldap server are in the same subnet.

When test the handshake, I get the below result.

jeromej_1-1685363644321.png

 

Thanks,

Jerome

 

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to jeromej

‎05-29-2023 07:54 AM

Connection reset by peer is expected because with ssh command you  try to initiate ssh not ldap.

 

As mgmt and ldap are in same subnet then next step is to take packet capture on mgmt interface.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
jeromej
L1 Bithead
In response to Raido_Rattameister

‎05-29-2023 11:11 PM

Hi @Raido_Rattameister ,

 

There is no packet sent/received when checking with tcpdump.

0 Likes Likes
  • 3 accepted solutions
  • 5937 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks