Using LDAP Server Profile to Authenticate to the PAN-OS Web UI

Using LDAP Server Profile to Authenticate to the PAN-OS Web UI

100856
Created On 09/25/18 17:36 PM - Last Modified 04/22/24 19:10 PM


Environment


  • Palo Alto Networks Firewall
  • Any PAN-OS
  • LDAP Server Profile

Resolution


Overview

This article provides the steps to configure LDAP for authentication to the PAN-OS Web UI.

 

Steps

  1. Create an LDAP Server Profile so the firewall can communicate and query the LDAP tree.
    1. Device tab (or Panorama tab if on Panorama) > Click LDAP under Server Profiles > Click Add.
    2. Be sure to uncheck SSL, if leaving the port as 389. If the LDAP server is configured to do LDAP over SSL, leave the box checked and change the Server port to 636.
    3. Domain – Leave the domain field blank unless the firewall is being installed in a multi-domain environment.
    4. Base – Level of the LDAP tree at which the queries will start. Any user from that point and on will be accessible by the PAN.
    5. Bind DN – This is the path to a user who has permissions to query the LDAP tree.
    6. Currently, we are using the Administrator account (username) for this, but it is recommended that we use a separate AD account for this only.

      1.png

  2. Create an Authentication Profile using the newly created LDAP server.
    1. Device tab (or Panorama tab if on Panorama) > Click Authentication Profile > Click Add.
    2. Authentication will be LDAP, choose the server profile created in the previous step, and ensure Login Attribute is “sAMAccountName”. It’s case-sensitive.
    3. In this example, the allow list enables all users. The list can be limited if desired.

      2.png

  3. We can now assign our newly created Authentication profile to provide Administrative access to Palo Alto GUI and CLI.
    1. Create an administrator account (e.g noob7) on the Palo Alto Networks Device.
    2. Device tab (or Panorama tab if on Panorama) > Administrators > Click Add.
    3. From the Authentication Profile drop-down, choose the LDAP Authentication Profile created in the last step.
    4. Ensure the administrator's name matches the user's name in the LDAP server.

    5. (Mandatory step) If we do not configure the administrators' names locally, we cannot determine their roles and privileges. For instance, newbie7 should have Superuser rights, and newbie1 should have Superuser rights (read-only).

    6. Calling out the users specifically is a lot more secure than referencing an AD group. Anyone with the right AD privileges could modify the AD group and give themselves superuser access to the firewalls.
      3.png
      NOTE: As an alternative to configuring each administrator separately, you can use a RADIUS server with a RADIUS authentication profile to allow management by AD groups.
       

  4. Commit.
  5. Log out of the current Web UI session and try the login using the administrator account created which is also in the LDAP tree.

owner: jseals
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGuCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language