LDAP Authentication Fails When Using a User-ID Service Route

LDAP Authentication Fails When Using a User-ID Service Route

21846
Created On 09/25/18 18:50 PM - Last Modified 06/02/23 03:41 AM


Resolution


Issue

With the Service Route for User-ID Agent configured, as shown below, LDAP will not use the service route and still tries to connect

to the LDAP server on the management interface.

Screen Shot 2013-10-18 at 09.37.15.png

 

Cause

The Palo Alto Networks firewall does not support application-based service routes for LDAP-based authentication.

Note: Group mapping will use the configured service route to communicate with LDAP, however, as it is a part of User-ID.

 

Resolution

To use a service route for LDAP authentication, configure a destination based service route (Device > Setup > Service Route Configuration), as shown below:

Screen Shot 2013-10-18 at 09.48.49.png

 

If this destination based service route is not configured and the management interface is unable to connect to the LDAP server, the following error messages will appear in the authd.log file:

Oct 18 00:28:23 pan_authd_authenticate_service(pan_authd.c:686): authentication failed (6)

Oct 18 00:28:23 Authenticating user using service /etc/pam.d/pan_ldap_vsys1_ldap_0,username USERNAME failed - trying other hosts

Oct 18 00:28:23 pan_authd_common_authenticate(pan_authd.c:1672): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_ldap_1

Oct 18 00:28:23 pan_authd_common_authenticate(pan_authd.c:1672): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_ldap_2

Oct 18 00:28:23 pan_authd_common_authenticate(pan_authd.c:1672): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_ldap_3

 

owner: rvanderveken
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClR0CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language