Can't connect user group is fine but Agent Policy does not match

luishoracio.arizaga — Tue, 05 Dec 2023 11:35:12 GMT

Hello, I'm running out of ideas to tshoot a GP connection problem. I have a user that is in an AD group uservpn (checked on the cli and it's fine). Added this group to Portal and GW configuration and I can't connect. If I live any for the config under user/user group for portal and Gateway it works. I see the user has this group on the CLI but somehow the firewall can't make the association on the login

{"level":"info","time":"2023-12-05T12:25:17.046726663+01:00","message":"loadGlobalRegionFile: global region file not changed, skip building the trie"} {"level":"info","time":"2023-12-05T12:25:52.806664649+01:00","message":"ConfigPhase2: received config phase2"} {"level":"info","time":"2023-12-05T12:25:52.806820918+01:00","message":"ConfigPhase2: phase2 done, switched to new config ts:1701775516, version:94 (MaxTaskCount:1000 MaxAuthReqCount:4096)"} {"level":"error","task":"439-5","time":"2023-12-05T12:27:16.5756033+01:00","message":"GetPortalClientConfig: portal CHLC_Portal was found, but no client config for req &{X.X.X.X luis.arizaga Windows 1ZP5FK3 false false false false}"} {"level":"error","task":"439-5","time":"2023-12-05T12:27:16.57613947+01:00","message":"authLoop write: failed to send data to unixgram:@/tmp/authd.sock, error: write unixgram @/tmp/authd_client_GP_socket_1701775066.sock->@/tmp/authd.sock: write: connection refused"} {"level":"error","time":"2023-12-05T12:27:16.576966802+01:00","message":"authLoop read: failed to receive data from auth, error: read unixgram @/tmp/authd_client_GP_socket_1701775066.sock->@/tmp/authd.sock: use of closed network connection"} {"level":"error","time":"2023-12-05T12:27:17.577205202+01:00","message":"authLoop: connection to authd is broken, reconnecting"} {"level":"info","time":"2023-12-05T12:27:17.577584189+01:00","message":"authLoop: connection to authd is established"} {"level":"error","task":"439-5","time":"2023-12-05T12:27:17.628630724+01:00","message":"GetPortalClientConfig: portal CHLC_Portal was found, but no client config for req &{X.X.X.X luis.arizaga Windows 1ZP5FK3 false false false false}"} {"level":"error","task":"439-5","time":"2023-12-05T12:27:17.629557248+01:00","message":"gpGetconfig: Failed to get portal config"}

Does anyone have a suggestion about how to tshoot this?

Thanks for your time.

Regards,

Luis

Re: Can't connect user group is fine but Agent Policy does not match

reaper — Tue, 05 Dec 2023 13:08:49 GMT

does the username contained inside the group (show user group name <yourgrouphere>) match EXACTLY with the username the authentication profile is receiving?

of group mapping has you as domain\user and your auth profile receives user@domain , that is not a match

you can fix that by changing the username modifier in the authentication profile, or changing the group mapping user attribute

Re: Can't connect user group is fine but Agent Policy does not match

luishoracio.arizaga — Tue, 05 Dec 2023 13:26:35 GMT

Indeed Reaper, I've solved this with the following steps, thanks!

Auth Profile: on domain name I've configured Netbios domain name (https://community.lansweeper.com/t5/scanning-your-network/finding-your-domains-dns-and-netbios-names/ta-p/64266)
User identification => Group mapping settings => I've deleted the domain that I defined there, I left the option blank. (https://www.reddit.com/r/paloaltonetworks/comments/8fgvez/failed_access_via_globalprotect/)

I don't understand why it works but it does. Thanks.

topic Re: Can't connect user group is fine but Agent Policy does not match in GlobalProtect Discussions

Can't connect user group is fine but Agent Policy does not match

Re: Can't connect user group is fine but Agent Policy does not match

Re: Can't connect user group is fine but Agent Policy does not match