Here are a few things you can check at the command line. First check to make sure the group in question is recognized by the firewall: admin@PA-200> show user group list cn=vpn-users,ou=groups,dc=panlab,dc=local Total: 1 admin@PA-200> Next, make sure the user you are trying to authenticate with is in that group: admin@PA-200> show user group name "cn=vpn-users,ou=groups,dc=panlab,dc=local" source type: service source: panlab-389LDAP [1 ] panlab.local\chadd admin@PA-200> As you can see in the output of the last command, domain\user is what the firewall is looking for. The important parts of the configuration for groups to work correctly are as follows: Device->LDAP->your-ldap-profile: If your LDAP server requires the domain\user login method, you can configure the domain in your profile. If not, then leave that field blank (try it both ways). Device->User Identification->Group Mapping Settings->Server Profile->your-group-mapping-profile: In 4.1 and later the firewall does the group mapping, so this is where you configure that. Make sure that these settings match your LDAP install. Device->User Identification->Group Mapping Settings->Group Include List: This is an LDAP filter. This is used to restrict the LDAP search to these groups. It is different than the allow list in your authentication profile - this is a filter, not an ACL. That being said, if you filter out the group you are trying to authenticating to, it obviously won't work. Some things you need to be aware of: There is a delay between the time you add/remove a user to/from a group and when the authentication works. You can speed up the process by using the following commands: admin@PA-200> debug user-id reset group-mapping all all panlab-389LDAP panlab-389LDAP <value> group mapping to reset This command is helpful if you want to get the groups to clear from the firewall and have them rediscovered. admin@PA-200> debug user-id refresh group-mapping all admin@PA-200> This command can be run to cause the firewall to pull the new mappings since last time the process ran (delta). If none of the above helps you resolve the issue, it would be great to do a packet capture between your PA and your LDAP server. Open the pcap in a program like WireShark and filter for ldap (type ldap in the filter and hit enter). Look for the ldap requests and ldap responses. Make sure that when you attempt to authenticate, the firewall sends an ldap request to the LDAP server. If it does not, make sure that your Device->Setup->Services->Service Route Configuration is set up correctly. If it does send a request, make sure it is correct, and that you get a valid response. In version 5.x or greater of PAN-OS, you can use tcpdump at the command line to capture this traffic - although, it is best if you scp export the pcap off the box and inspect it with a program like WireShark. All that being said, please open a case with support if you continue to have trouble. Good luck. -chadd.
... View more