Palo Alto LDAP and User-ID
User ID:
AD user agent
LDAP user agent
captive portal
TS agent
PAN client
Configure LDAP
1. Create a service account called "ldap" in AD Managed Service Accounts OU.
2. Verify FW DNS is configured with internal AD/DNS server.
3. Verify Service route for DNS/LDAP points internal LAN.
4. Add a LDAP Server Profile and commit the change
5. Verify LDAP connection is good.
5.1 Can see Base DN show up, select it.
6. Add group mapping, commit the change.
7. Verify Security policy can use username or groups.
Configure User-IP mapping
WinRM is recommenced.
1. Enable User-ID by zone
6. Verify monitor server status is connected
check Logs > User-ID
check mapping from CLI
show user user-ids match-user []
show user ip-user-mapping all
show user user-ids match-user []
show user ip-user-mapping all
Group Mapping(vsys1, type: active-directory): LDAP-Group-Mapping
Bind DN : cn=ldap,cn=users,dc=sc,dc=local
Base : dc=sc,dc=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
10.0.0.10(389)
Last Action Time: 3130 secs ago(took 0 secs)
Next Action Time: In 470 secs
Number of Groups: 4
cn=contractors,cn=users,dc=sc,dc=local
cn=employees,cn=users,dc=sc,dc=local
cn=helpdesks,cn=users,dc=sc,dc=local
cn=network admins,cn=users,dc=sc,dc=local
admin@PA440-2(active)> debug user-id refresh group-mapping all
group mapping 'LDAP-Group-Mapping' in vsys1 is marked for refresh.
admin@PA440-2(active)> show user group name "cn=employees,cn=users,dc=sc,dc=local"
short name: sc\employees
source type: ldap
source: LDAP-Group-Mapping
[1 ] sc\user1
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLey
Authentication Profile refers a server profile (with Allow List), then be used in creating admin account or captive portal to actually authenticate user:
test authentication authentication-profile Auth-Profile username user1 password
Enter password :
Target vsys is not specified, user "user1" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "user1" is in group "all"
Authentication to LDAP server at 172.16.1.10 for user "user1"
Egress: 172.16.1.62
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=user1,CN=Users,DC=lab,DC=local
User expires in days: never
Authentication succeeded for user "user1"
admin@Panorama>
Comments
Post a Comment