Tuesday, February 9, 2016

Configuring LDAP auth from Palo Alto PA-500 firewalls to Windows 2012 R2 AD servers

For the most part this is covered in the Palo Alto admin guides but if like me you just wind up owning one of these at work and you don't have a bunch of time to decipher it then you might find this useful.  Especially since configuring Palo Altos is a lot like object oriented programming where you have to 'build' out all your components and then chain them together which makes troubleshooting more fun.

LDAP Config (using PanOS release 7.x):

Step 1 -

Device Tab -> Server Profiles -> LDAP.  From here Add a new Server profile, give it a meaningful name like domain-ldap and populate the server list.
Enter in your base DN
Enter in your Bind DN - which in my case I created a dedicated service account and entered it in UPN format as 'accountname@domainname.com'.  Then enter in the password for the account so it'll be able to access the directory.

For AD LDAP, go ahead an uncheck the Require SSL/TLS checkbox.

And Commit your changes

Step 2

Now go to the Authentication Profile (also on the Device Tab) and click Add.
Give it a meaningful name like ldap-authprofile.
Then choose the Server Profile that we created in step 1 from the drop down list.
The Login Attribute should be sAMAccountame.  (no, I don't know if that's case sensitive).
Important - Fill in the User Domain with the NETBIOS name of your domain.  Yes, I know it's 2016 and we're still stuck with it.  It'll make a difference later on if you try to do Group Filtering.
If you're setting up an Allow list then click the Advanced Tab and enter in the LDAP strings for your groups.

And Commit your changes

Optional Step 3 - Group filtering/search

If you're using Group Filtering, make sure to go under User Identification, then to the Group Mappings setup tab and Add those groups in.
Click Add, then choose your Sever Profile that we created in Step 1.
Go to the Group Include List Tab, and drill down to your group.
Note:  if you can't drill down, then you don't have a working LDAP connection.  check your settings and make sure your AD Controllers are listening.  Also, keep in mind that the traffic will be coming From the MGT port on the Palo Alto which may have a different IP.

Click Ok. Commit your changes.

At this point you should have a fully functional LDAP Authentication Profile which you can feed into other objects like Authentication Sequences, GlobalProtect Gateways, etc.

Troubleshooting tips:
The default caching period is about an hour.  If you're doing testing you'll want to force that cache to empty out.  From a console/ssh connection - run
debug user-id refresh group-mapping all
to refresh the LDAP cache.

PanOS 7.x also has a new feature to help you troubleshoot authentication from a command line. Details here:

Good Luck!

No comments: