topic GP / PA GUI fault in General Topics

GP / PA GUI fault

Vimz888 — Thu, 31 Mar 2022 19:20:15 GMT

Hi,

I currently have Palo running within a EVENG environment.

I have set up Global Protect, the problem seems to be every time I try to log into GP using an AD account. I am automatically logged out of the Palo GUI. Furthermore, the username/password does not even authenticate, even though the un/pw is correct,

Has anyone had this problem ?

Thank you in advance.

Re: GP / PA GUI fault

S.Cantwell — Fri, 01 Apr 2022 00:01:20 GMT

It sounds to me like there are a few multiple issues going on. Let's start with the GP user... if you have the correct user/pass and it fails, have you configured to use a local account (and NOT a local admin account), but local user database user. You may want to try that first. If that works but fails with AD, then you may want to check your service account, credentials, IP, as this would be the last/final place to look.
As for the login to the GUI, please try to use 2 different browser instances (not 2 browser tabs)

I have seen this on my own computer, where I get logged out when I have same browser, but 2 tabs. I get logged out.

Re: GP / PA GUI fault

Vimz888 — Mon, 04 Apr 2022 14:55:37 GMT

Hi,

Thank you for your response.

I tried using another instance of the browser (chrome), but had the same issue. It logged me out straight away.

- just for clarity, I was using :4443 for the GUI portal and :443 for GP.

Used a completely different browser (Edge), AND that did RESOLVE the issue - my question is why would it sign you out on the same browser, it's using different ports.

====

With regard to the authentication locally, that is working fine.

I am able to log into GP with the un/pw set locally.

name VPN1 passwordE1> test authentication authentication-profile AUTH-Local user
Enter password :

Target vsys is not specified, user "VPN1" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "VPN1" is in group "all"

Authentication by Local User Database for user "VPN1"

Authentication succeeded for Local User Database user "VPN1"

I tested the authentication of the UN/PW and this is the output I get,

AD is connected, I can authenticate the username/password on the machine that are connected to the domain. It is only GP that does not want to work.

rname GPuser password test authentication authentication-profile AUTHPROFILE use
Enter password :

Target vsys is not specified, user "GPuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\GPuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "GPuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "GPuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "GPuser"

Authentication failed for user "GPuser"

Not sure what this is indicating

Received empty DN for user "GPuser"

Thanks,

Re: GP / PA GUI fault

Vimz888 — Mon, 04 Apr 2022 16:54:01 GMT

After further looking into this:

>less mp-log authd.log

2022-04-04 16:34:52.266 +0100 debug: _get_auth_prof_detail(pan_auth_util.c:1099): non-admin user thru Global Protect "GPuser" ; auth profile "AUTHPROFILE" ; vsys "vsys1"
2022-04-04 16:34:52.266 +0100 debug: _get_authseq_profile(pan_auth_util.c:886): Auth profile/vsys (AUTHPROFILE/vsys1) is NOT auth sequence
2022-04-04 16:34:52.266 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for AUTHPROFILE-vsys1-mfa
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1055): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: AU
THPROFILE/vsys1)
2022-04-04 16:34:52.266 +0100 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1066): MFA configured, but bypassed for GP user ''. (prof/vsys: AUTHPROFILE/vsys1)
uest->username
2022-04-04 16:34:52.268 +0100 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1"
2022-04-04 16:34:52.271 +0100 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1835): Authenticating user "GPuser" with <profile: "AUTHPROFILE", vsys: "vsys1">
2022-04-04 16:34:52.271 +0100 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for AUTHPROFILE-vsys1

2022-04-04 16:34:52.273 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1132): searching basedn "DC=paloeveng, DC=local" for filter "(uid=GPuser)", attrs "framedIPAddress",
LDAPp=0x559d6c17c670
2022-04-04 16:34:52.338 +0100 Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1193): Received empty DN for user "GPuser". Try to re-establish the connection

2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1328): binding back to binddn: paservice@paloeveng.local (Try 1)
2022-04-04 16:34:52.338 +0100 debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:637): binding with binddn paservice@paloeveng.local
2022-04-04 16:34:52.358 +0100 Error: _start_sync_auth(pan_auth_service_handle.c:749): sync request for user "GPuser" is failed or possibly timed out against 192.168.150.10:389 with 0th VOID
p=0x559d6c17c670
gine.c:4322): auth status: auth state unknown

Strolled through the basedn on AD, which was correct

After looking into it further via

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC

There was a misconfiguration on the LDAP profile, which caused the issue.

Changed the following

The "Type" was set to "other" instead of "active-directory"

Thank you and I hope this helps anyone having the same issue.