topic Re: Global Protect not working with RADIUS NPS and LDAP on the same server. in General Topics

Global Protect not working with RADIUS NPS and LDAP on the same server.

JorgeOrtega — Wed, 03 Nov 2021 16:59:13 GMT

Hello everyone,

We have a Firewall configured for Authentication for LDAP and RADIUS NPS.

Both works fine when I force the authentication profile using CLI:

test authentication authentication-profile LDAP username user password

test authentication authentication-profile RADIUS username user password

However, when using Global Protect with an Authentication Sequence, I see the RADIUS Auth Denied in the Event Viewer in Windows and the connection fails in the client, so it doesn't go to the next Authentication Profile.

I also wanted to use Groups. I have 2 in Active Directory (RADIUS_Users and LDAP_Users) but I can only use Group Mapping for the LDAP, so RADIUS has no option to match a specific group. Any workaround for this?

Thanks.

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

TomYoung — Wed, 03 Nov 2021 18:29:29 GMT

Hi @JorgeOrtega ,

The authentication sequence should check both authentication profiles regardless of the AAA response -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMdXCAW. (The link on the bottom of that link provides more details.) I would double check that the user is not failing via LDAP also.

With regard to groups, you can configure groups in the authentication profile under Advanced. The groups configured under Device > User Identification > Group Mapping Settings > [edit group] > Group Include List will show in the authentication profile. The firewall does an LDAP query for the group and gets the users. If the login username matches, then the profile is used.

With regard to NPS, the Event Log > Security should tell you why it is failing.

Thanks,

Tom

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

JorgeOrtega — Wed, 03 Nov 2021 19:01:05 GMT

Hi Tom,

Thanks for the detailed response. I have two groups and I want the RADIUS Authentication Profile to use the RADIUS_NPS group in Active Directory. I also want the LDAP Authentication Profile to use the LDAP group in Active Directory.

The Authentication sequence is using RADIUS first and LDAP second and the idea is a user that belongs to the RADIUS group in AD should hit this Authentication Profile first and users that belongs to the LDAP group in AD should bypass the RADIUS and goes to the LDAP instead. Will this work?

When following that link for the group mapping, I can only create one group for LDAP as this is the only Authentication Profile I can select. Now if I do this I can then select it in the Allow List under the Advanced authentication profile under Advanced tab as you mentioned, however when I do the same for the RADIUS authentication profile it only shows the LDAP group. Should I type the name of the group manually? For example: CN=RADIUS_Users,CN=Users,DC=mydomain,DC=com ?

Thanks for the guidance on this matter.

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

TomYoung — Wed, 03 Nov 2021 19:10:24 GMT

Hi @JorgeOrtega ,

Yes, that will worked based upon the allow list. No, you shouldn't have to type it in manually as long as you can see it under Device > User Identification > Group Mapping Settings > [edit group] > Group Include List.

Thanks,

Tom

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

JorgeOrtega — Wed, 03 Nov 2021 20:58:09 GMT

I just checked that the only way that I can add groups to the Allow List below is by creating the Group Mapping. (right now both are using All):

However still wondering why you select the RADIUS-NPS group shown below along with the LDAP one...

When I only see the option for LDAP under the Server Profile for the same Group Mapping rule?

I have no option to do Group Mapping of my RADIUS_NPS group to be under the NPS Server Profile only under the LDAP Server Profile.

Is this correct?

Regards,

Jorge.

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

TomYoung — Wed, 03 Nov 2021 23:16:03 GMT

Hi @JorgeOrtega ,

That is correct. The firewall uses LDAP for group mapping. That is the only (and correct) selection. You do not need to specify the group under the server profile. As long as you can modify the allow list in the authentication profile, it will work as desired.

Thanks,

Tom

Re: Global Protect not working with RADIUS NPS and LDAP on the same server.

JorgeOrtega — Wed, 03 Nov 2021 23:38:02 GMT

Tom, I want to thank you for your valuable help. This worked like a charm. I had some issues in my setup that I discovered while I was creating the group mapping. I could also understand how these groups works. I created an RADIUS group and left All for the LDAP, so only a specific group that belongs to this group will have 2FA. Thanks again and have a great evening.

Jorge.