Duo Authentication Proxy does not work with PANOS 8.1.7 or above

Duo Authentication Proxy does not work with PANOS 8.1.7 or above

3880
Created On 04/29/20 20:24 PM - Last Modified 06/30/20 21:07 PM


Symptom
  • After upgrading PANOS to 8.1.7 or above, admin cannot login to firewall by authenticating to LDAP authentication server which hosts a Duo Authentication Proxy service.
  • When an admin attempts to login to firewall, they would get a Duo Push and when they hit approve the username and password section of the login screen would reset the field and say "invalid username and password." 
  • Firewall's system log will show a log stating that "LDAP auth server is down", when it isn't.


Environment
  • PAN-OS: 8.1.7 or above.
  • Palo Alto Firewall.
  • Authentication server that hosts Duo Authentication Proxy service.
  • Protocol: LDAP.


Cause
  • This issue is due to a proactive fix that was added in 8.1.7 version for LDAP protocol.
  • As per LDAP protocol, once bind to a specific user (whom the current authentication is against) is done, we can bind back to binddn/bindpw for future LDAP operations. 
  • Prior to 8.1.7 version, after authenticating an end user (search for end user's dn and bind it with end user's password), authd does ONE time bind to binddn/bindpw but doesn't check whether it is successful or not. It just returns the end user's auth success/failure to the upper level process.
Authd logs:
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1203): User "test.user" is ACCEPTED (msgid = 4, LDAPp=0x13b2820)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:86): userAccountControl = 512 (not never expire)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:95): Password doesn't expire for "test.user" by maxPwdAge
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1235): Got user expire-in-days: -1 (-1 means no expiration), passwd_exp in auth profile: 7
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1279): binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:614): binding with binddn cn=***********,ou=*********,ou=********,dc=*********,dc=***
Error:  _get_ldap_result(pan_authd_shared_ldap.c:569): ldap op failed Can't contact LDAP server
Error:  pan_authd_ldap_bind(pan_authd_shared_ldap.c:629): failed to get ldap result 
Error:  pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1282): Failed to rebind, get out
debug: pan_auth_response_process(pan_auth_state_engine.c:4271): auth status: auth success
 
  • From 8.1.7 version, after authenticating an end-user (search for the end user's dn and bind it with the end user's password), authd does up to THREE times bind to binddn/bindpw until successful (in case the network is very unstable).  Even after 3 attempts if the bind to binddn/bindpw fails, authd will return "need to reconnect to LDAP server" to the upper level and would regard the connection not useful.
Authd logs:
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1232): User "test.user" is ACCEPTED (msgid = 4, LDAPp=0x1db04e0)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:88): userAccountControl = 512 (not never expire)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:136): pwdlastset: 13197988228 seconds since January 1, 1601 (UTC)
debug: _get_AD_passwd_exp_in_days(pan_authd_shared_ldap.c:155): AD pwd expires in days 37 (max 255 warning limit)
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1264): Got user expire-in-days: -1 (-1 means no expiration), passwd_exp in auth profile: 7
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1312): binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:630): binding with binddn binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
Error:  _get_ldap_result(pan_authd_shared_ldap.c:585): ldap op failed Can't contact LDAP server
Error:  pan_authd_ldap_bind(pan_authd_shared_ldap.c:645): failed to get ldap result 
Error:  pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1315): Failed to rebind back to binddn (Try 1)
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1312): binding back to binddn: binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:630): binding with binddn binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
Error:  pan_authd_ldap_bind(pan_authd_shared_ldap.c:639): Failed to bind ldap (Can't contact LDAP server)
Error:  pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1315): Failed to rebind back to binddn (Try 2)
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1312): binding back to binddn: binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:630): binding with binddn binding back to binddn: cn=***********,ou=*********,ou=********,dc=*********,dc=***
Error:  pan_authd_ldap_bind(pan_authd_shared_ldap.c:639): Failed to bind ldap (Can't contact LDAP server)
Error:  pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1315): Failed to rebind back to binddn (Try 3)
Error:  _generate_bind_back_to_binddn_fail_log(pan_authd_shared_ldap.c:1043): 3 tries to bind back to binddn failed: basedn: DC=*********,DC=*** ; binddn: cn=***********,
ou=*********,ou=********,dc=*********,dc=*** ; bind_timelimit 30 ; ip: 192.168.43.29 ; uri: ldap://192.168.43.29:389
Error:  _start_sync_auth(pan_auth_service_handle.c:603): LDAP auth: "Can't contact LDAP server" against 192.168.43.29:389 with 0th VOIDp=0x1db04e0
Error:  _start_sync_auth(pan_auth_service_handle.c:606): -> enter into retry interval (wait for 60 sec)
LDAP auth server 192.168.43.29 is down !!!
 
  •  By default, DUO doesn't support binding back to binddn/bindpw after user authentication. This causes the binding back to binddn/bindpw to fail and hence, admin authentication fails.


Resolution
  1. As per LDAP protocol, binding back to binddn/bindpw can be done as many times as needed within a connection. So, a change has to be done at DUO end and this can be achieved by applying a configuration changes to the Duo proxy config file. The Customer will need to reach out to the DUO support team for more information about these changes.
OR
  1. Use RADIUS to communicate with the authentication server using Duo Authentication Proxy service.


Additional Information
What is binding back to binddn/bindpw?
  • During initial LDAP connection between firewall and LDAP auth server, authd will BIND using binddn/bindpw. This BIND operation helps firewall to authenticate to the directory server and to establish an authorization identity that will be used for subsequent operation.
  • When a user provides the LDAP credentials, authd will authenticate the end user by searching for the user's dn and binding it with user's pw and send it to LDAP auth server. LDAP auth server will accordingly respond to it.
  • After the user is authenticated, authd does the binding back to binddn/bindpw.
  • This helps authd to maintain one LDAP connection and reuse it for millions of authentication in order to have a high throughput.
  • If binding back to bindn/bindpw wasn't a part of authd code, then it will need to create a new LDAP connection for each authentication and then tear down the connection.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PPrN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language