LDAP authentication profile not listing in authentication settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP authentication profile not listing in authentication settings

L1 Bithead

Hi,

 

jeromej_0-1685089183840.png

I have a problem in adding LDAP authentication profile to the authentication settings in Device>Management. I have also tried creating a new authentication profile with LDAP in it. But getting the below error

"system -> authentication-profile 'LDAP_AUTH_WEBGUI' is not a valid reference
system -> authentication-profile is invalid"

Please advice if I have to do any changes somewhere.

3 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @jeromej

 

could you please check logs from CLI: tail follow yes mp-log authd.log? This should give definitive answer what the issue is.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

View solution in original post

Connection reset by peer is expected because with ssh command you  try to initiate ssh not ldap.

 

As mgmt and ldap are in same subnet then next step is to take packet capture on mgmt interface.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Man I had found what I did wrong... I had not given the LDAP service route source in the Service route configuration. After giving that our box had connected with the LDAP server and everything works fine now. But earlier it was the same when the LDAP works without any such configuration. I wonder how it worked. 

Anyways, thanks for the support and assistance.

View solution in original post

15 REPLIES 15

Cyber Elite
Cyber Elite

Hello @jeromej

 

the authentication profile under: Device > Management > Authentication Settings only supports RADIUS, TACACS+ and SAML. If you need to use LDAP to authenticate accounts accessing Firewall, you can do it from: Device > Administrators, then add account and select LDAP profile from drop down list.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Authentication Settings droppdown supports using authentication sequences.

You can try to put LDAP profile into auth sequence (Device > Authentication Sequense) and try if choosing auth sequence instead works (I have not tested).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @PavelK 

 

Thanks for the response.

I tried that already but didn't work and thought that the issue could be with the authentication settings in the management window.

And I have configured the LDAP authentication and started using the LDAP account for logging in to the PA Webgui for the past couple weeks. There was some changes done by my colleague yesterday and when I tried login to the web console today, I started getting authentication error.

And I felt something must be something wrong with connection with the LDAP connectivity. So I tested the connectivity and got the connection error. There is no LDAP configuration issue and I double checked the same. 

jeromej_0-1685112008346.png

Is there anything that I am missing to check?

 

Thanks,

Jerome

Hi @Raido_Rattameister 

 

Thanks for the response.

 

I have configured the authentication settings the same way that you have mentioned and was using the LDAP account for logging in to the PA Webgui for the past couple weeks. But there was some changes done by my colleague yesterday and when I tried login to the web console today, I started getting authentication error.

And I felt something must be wrong with connection with the LDAP connectivity. So I tested the connectivity and got the connection error. There is no LDAP configuration issue and I double checked the same. 

jeromej_1-1685112190814.png

 

Is there anything that I am missing to check?

 

Thanks,

Jerome

Cyber Elite
Cyber Elite

Monitor > System

Filter "( subtype eq auth )"

 

Any events about LDAP server there? Like auth-server-down for example.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hello @jeromej 

 

thank you for reply.

 

To drill down root cause for failure, could you please follow this KB: How to Troubleshoot LDAP Authentication? Also, make sure that Bind-dn username and password are up to date.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @Raido_Rattameister 

The logs shows the "auth-server-down". But when checking the connectivity between the firewall and the server is good as they both communicate with each other. Please find below the error log.

 

Type Threat/Content Type Config Version Generate Time Virtual System Event ID Object fmt id module Severity Description
SYSTEM auth 2816 5/27/2023 11:45   auth-server-down 0 0 general critical LDAP auth server  is down !!!

Hi @PavelK 

 

I have tried the steps given in the KB and got the below result.

1.1 #show shared server-profile lda  -  Invalid syntax

1.2 The Base DN not listing automatically. It wasn't listed when I had it configured previously but the LDAP authentication worked until couple days back.

1.4 Couldn't browse the LDAP tree browser when configuring Group-Mapping.

 

The Bind-DN Username and password are up to date. Yet I am getting this connectivity issue.

Please advice.

Cyber Elite
Cyber Elite

Hello @jeromej

 

could you please check logs from CLI: tail follow yes mp-log authd.log? This should give definitive answer what the issue is.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 

jeromej_0-1685358604549.png

When checking the logs, I get the above error. It seems that there is some issue with the connectivity. 

Is there a way to check if the ldap server receives the request on the port 389 from Palo alto? Since PA has removed telnet from PANOS 5.0, I couldn't find a way to know that.

 

Thanks,

Jerome 

Cyber Elite
Cyber Elite

Is Palo mgmt interface and ldap server in same subnet or does traffic from Palo mgmt interface traverse Palo dataplane so you could see logs?

To test tcp 3way handshake you can use command "ssh port 389 host <ldap server ip>"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes @Raido_Rattameister , PA mgmt interface and ldap server are in the same subnet.

When test the handshake, I get the below result.

jeromej_1-1685363644321.png

 

Thanks,

Jerome

 

 

Connection reset by peer is expected because with ssh command you  try to initiate ssh not ldap.

 

As mgmt and ldap are in same subnet then next step is to take packet capture on mgmt interface.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister ,

 

There is no packet sent/received when checking with tcpdump.

  • 3 accepted solutions
  • 3689 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!