Using LDAP to Authenticate to the Web UI
Created On 09/25/18 17:36 PM - Last Updated 02/07/19 23:56 PM
This article provides the steps to configure LDAP for authentication to the Web UI.
- Create an LDAP Server Profile so the firewall can communicate and query the LDAP tree.
- Device tab (or Panorama tab if on Panorama) > Click LDAP under Server Profiles > Click Add.
- Be sure to uncheck SSL, if leaving the port as 389. If the LDAP server is configured to do LDAP over SSL, leave the box checked and change the Server port to 636.
- Domain – Leave the domain field blank unless the firewall is being installed in a multi-domain environment.
- Base – Level of the LDAP tree at which the queries will start. Any user from that point and on will be accessible by the PAN.
- Bind DN – This is the path to a user who has permissions to query the LDAP tree.
- Create an Authentication Profile using the newly created LDAP server.
- Device tab (or Panorama tab if on Panorama) > Click Authentication Profile > Click Add.
- Authentication will be LDAP, choose the server profile created in the previous step, and ensure Login Attribute is “sAMAccountName”. It’s case sensitive.
- In this example, the allow list enables all users. The list can be limited if desired.
- Create an Administrator account on the Palo Alto Networks Device.
- Device tab (or Panorama tab if on Panorama) > Administrators > Click Add.
- From the Authentication Profile drop-down, choose the LDAP Authentication Profile created in the last step.
- Ensure the name of the administrator matches the name of the user in the LDAP server.
- Log out of the current Web UI session and try the login using the administrator account created wihich is also in the LDAP tree.