GlobalProtect Login Fails When Using a Group in the Allow List

Issue

When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"

However, the login works fine if the allow list is set to "all" in the authentication profile.

Resolution

1. Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings: Group Mapping

2. Confirm that the group in question contains the user attempting to login.
Run the CLI command: show user group name <value>

For example:
> show user group name pantac\vpn-user
short name:  pantac\vpn-user
source type: ldap
source:      Pantac2003

[1     ] pantac\user1
[2     ] pantac\admin1
[3     ] pantac\administrator
[4     ] pantac\user2
[5     ] pantac\user4

3. Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases.

The LDAP server profile is under Device > Server Profiles > LDAP

4. In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings : 

5. In PAN-OS 8.0 the User Domain can also be controlled in the Authentication Profile

User Domain in the Authentication Profile

User

6. Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command.

Authentication Profile Allow List

owner: jteestel