cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

Problem with LDAP group usage in Authentication Profile

Hi.

I have a strange issue with LDAP groups in our PA-5220 setup.

Our setup is two HS-clusters with each containing two PA-5220. All of the devices are fully managed using Panorama. All of the firewalls are running 9.0.5 and Panorama is also of version 9.0.5.

 

The configuration looks like this, I have configured a LDAP server object with all of our AD domain controllers, and set the "Base DN" to be the root of the domain. I have created a "Group mapping" containing a group for testing. I have created a "LDAP Authentication Profile" targeting the LDAP server configured earlier.

The problem is that the LDAP authentication only works if I have the "Allow list" set to "All". If I specify the AD group either using the NetBIOS name/short name or the full DN name, authentication will fail.

 

If I from the console list, the users in the group using "show user group name" all expected users are listed. If I test the Authentication Profile using the command "test authentication authentication-profile" it works when the allow list is set to All, but not if I a LDAP group is specified. The test fails based on "Do allow list check before sending out authentication request".

 

I have checked all of the KB I have been able to find and made sure that I for instance have all the LDAP paths in lower cases. I have compered it with another device with a working configuration, but at another company, but except for the paths and server names, everything is more or less the same.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClizCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloqCAC

 

What could be causing this issue? What to check next?

 

Best regards,
Johan Christensson

Who Me Too'd this topic