Panorama LDAP Login UI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama LDAP Login UI

L0 Member

Hello

 

I am trying to configure panorama to use ldap login for the UI. I've followed the article below, but still get invalid username and password. I've setup authentication profile and administrator to my AD group. Not sure why I can't get this function to work.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-ldap-authenticati...

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Danny-SRNA

 

thank you for the post!

 

The best way to drill down into root cause of authentication failure is to look into logs. Please run this command from Panorama's CLI: less mp-log authd.log. Based on the logs, I would focus on next troubleshooting steps.

 

On the general note, please check below:

- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?

- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?

- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?

- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @Danny-SRNA

 

thank you for the post!

 

The best way to drill down into root cause of authentication failure is to look into logs. Please run this command from Panorama's CLI: less mp-log authd.log. Based on the logs, I would focus on next troubleshooting steps.

 

On the general note, please check below:

- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?

- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?

- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?

- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi Pavel,

 

Please see my responses to your questions below

 

- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?

   -yes

- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?

   - yes

- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?

   -yes

- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?

   - Am I able to use AD group for this? I am trying to simplify user created and control

Cyber Elite
Cyber Elite

You can't use AD group to log into firewall or Panorama with LDAP.

If you use RADIUS and vendor specific attributes then it is possible.

With LDAP you need to specify every user by username under Administrators for login to work.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 1889 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!