- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-31-2023 03:09 PM
Hello
I am trying to configure panorama to use ldap login for the UI. I've followed the article below, but still get invalid username and password. I've setup authentication profile and administrator to my AD group. Not sure why I can't get this function to work.
03-31-2023 03:54 PM
Hello @Danny-SRNA
thank you for the post!
The best way to drill down into root cause of authentication failure is to look into logs. Please run this command from Panorama's CLI: less mp-log authd.log. Based on the logs, I would focus on next troubleshooting steps.
On the general note, please check below:
- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?
- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?
- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?
- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?
Kind Regards
Pavel
03-31-2023 03:54 PM
Hello @Danny-SRNA
thank you for the post!
The best way to drill down into root cause of authentication failure is to look into logs. Please run this command from Panorama's CLI: less mp-log authd.log. Based on the logs, I would focus on next troubleshooting steps.
On the general note, please check below:
- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?
- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?
- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?
- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?
Kind Regards
Pavel
04-03-2023 10:01 AM
Hi Pavel,
Please see my responses to your questions below
- In LDAP profile, is Base DN covering an AD OU where your login account is located? Are Bind DN credentials valid?
-yes
- In LDAP profile, are LDAP servers reachable? Can firewall resolve their DNS record?
- yes
- In Authentication Profile, under "Advanced" does "Allow List" has "all" configured?
-yes
- Is account you are using to authenticate to Panorama GUI, configured under: Panorama > Administrators? Does the account have correct Authentication Profile configured?
- Am I able to use AD group for this? I am trying to simplify user created and control
04-03-2023 10:17 AM
You can't use AD group to log into firewall or Panorama with LDAP.
If you use RADIUS and vendor specific attributes then it is possible.
With LDAP you need to specify every user by username under Administrators for login to work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!