Authentication Issues with Shared LDAP Configuration over Multiple VSYS

Authentication Issues with Shared LDAP Configuration over Multiple VSYS

14853
Created On 09/26/18 13:53 PM - Last Modified 02/07/19 23:40 PM


Resolution

Symptoms

Group based rules don't match when authenticating via a shared LDAP configuration and a shared authentication profile.

 

Issue

Group information is not carried over different virtual systems which is why rules configured to allow or deny groups of users will not match in the policy

 

Resolution

Configure VSYS specific LDAP authentication profiles instead of the shared profile.

 

Note: In some cases only one vsys may be seen, though the authentication profile is still configured as a "shared" profile. This may happen in cases where the firewall was once configured as a multi vsys device, and so a shared profile was created. At a later time the multi vsys configuration was removed so though there is only one vsys. However, the authentication profile will still show as 'shared', considering it was configured when the device was set for multi sys. In such cases, make sure that the LDAP authentication profile is configured for that 1 vsys rather than a shared profile.

 

owner: yogihara



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClxE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language