How to Authenticate into a Palo Alto Firewall using Active Directory

There are a couple of ways to bind Active Directory onto a Palo Alto Firewall. This tutorial will show how to log into a Palo Alto Firewall for administrators using Active Directory credentials to change the configuration via WebGUI or CLI.

Prerequisites

  • Windows with Active Directory
  • Management IP that can reach the AD Servers
  • LDAP Bind account that can read your AD. Make a service account for this

1. Create LDAP Server Profile

  • Go to Device > Server Profiles > LDAP and add a LDAP server profile to your AD and fill in the profile for your AD Servers. For our AD servers, we do not use SSL.

paloldap

 

2. Add Group Mapping in User-ID

  • Go to User-ID > Group Mapping Settings and Add a Group Mapping
  • Select the Server Profile AD that you created in the previous step
  • Set the Update Interval for the Palo Alto Profile to pull AD in Seconds. Default is 3600 seconds or 1 hour

palouseridgroup

  • In the Group Include List add the Group in your AD where it includes the users you would like to authenticate to the Admin GUI. Click on the + symbol to add it to the list

palouseridgroup2

  • Save and Commit

3. Manually Update Group Mappings on Palo Alto Device

  • Our default time for Palo Alto to update Group Mappings is 3600 seconds, but we would like to do this change immediately. Log into the Palo Alto CLI and pull the user data from AD immediately with the following commands:

[email protected] > debug user-id refresh group-mapping all

group mapping ‘Infrastructure’ in vsys1 is marked for refresh.

[email protected] >

4. Create Sequence with Authentication Profile

  • Create an Authentication Sequence by going to Device > Authentication Sequence
  • Give the Authentication Sequence Profile a name
  • Under Authentication Profiles, select “new Authentication Profile

paloauthprofile

 

 

  • Create An Authentication Profile for LDAP Authentication
  • Add the Group that you added in User-ID Group Mapping
  • For the Login Attribute enter in: sAMAccountName for parsing the username Schema from AD for login

paloauthprofile2

  • Select ok and save your profile

paloauthprofile3

 

5. Allow Only Certain Users to Access Admin Console

  • Go to Device > Administrators section
  • Keep the admin local user as a backup to log into the device
  • Select Add to create a new user
  • Enter in your username in AD that you would like to authenticate and Authentication Profile of the Authentication Sequence you entered in from the previous step
  • Select the role of the user to what privileges you want to have for the account

paloadmins

  • Save and Commit

6. Log in and Test

  • You should now be able to login with the username you specified in step 5 to both the WebGUI and CLI.
  • If you cannot log in, please check the logs under Monitor > System to see what may be causing the issue.
login as: richard.yau
Using keyboard-interactive authentication.
Password:
Welcome richard.yau.
[email protected]>

Leave a Comment