LDAP and GlobalProtect

klumpen — Mon, 09 Sep 2013 11:40:30 GMT

Hi,

I am trying to set up Globalprotect.

Would like to restrict the user to a group, but I can not get this to work.

In Authentication profile i have the VPN-group in allow list.

When I logon with a user in this group the log tell me that i have incorrect username or password.

Have also included the group under "group mapping setting".

Have tried the different settings under Global Protect as well.

Anyone know how to solve this problem?

I do not have the licens for Global Protect.

Re: LDAP and GlobalProtect

UhMayYeah — Mon, 09 Sep 2013 12:08:56 GMT

Does authentication work w/o Allow list i.e with all groups.

What's the format used for Authentication, It should be simply username and not domain\username.

Check if you have configured Auth Profile correctly.

I always miss Login attribute : sAMAccountName

Re: LDAP and GlobalProtect

cchristiansen — Tue, 10 Sep 2013 01:32:08 GMT

Here are a few things you can check at the command line.

First check to make sure the group in question is recognized by the firewall:

admin@PA-200> show user group list

cn=vpn-users,ou=groups,dc=panlab,dc=local

Total: 1

admin@PA-200>

Next, make sure the user you are trying to authenticate with is in that group:

admin@PA-200> show user group name "cn=vpn-users,ou=groups,dc=panlab,dc=local"

source type: service

source: panlab-389LDAP

[1 ] panlab.local\chadd

admin@PA-200>

As you can see in the output of the last command, domain\user is what the firewall is looking for.

The important parts of the configuration for groups to work correctly are as follows:

Device->LDAP->your-ldap-profile:

If your LDAP server requires the domain\user login method, you can configure the domain in your profile. If not, then leave that field blank (try it both ways).

Device->User Identification->Group Mapping Settings->Server Profile->your-group-mapping-profile:

In 4.1 and later the firewall does the group mapping, so this is where you configure that. Make sure that these settings match your LDAP install.

Device->User Identification->Group Mapping Settings->Group Include List:

This is an LDAP filter. This is used to restrict the LDAP search to these groups. It is different than the allow list in your authentication profile - this is a filter, not an ACL. That being said, if you filter out the group you are trying to authenticating to, it obviously won't work.

Some things you need to be aware of:

There is a delay between the time you add/remove a user to/from a group and when the authentication works. You can speed up the process by using the following commands:

admin@PA-200> debug user-id reset group-mapping

all all

panlab-389LDAP panlab-389LDAP

<value> group mapping to reset

This command is helpful if you want to get the groups to clear from the firewall and have them rediscovered.

admin@PA-200> debug user-id refresh group-mapping all

admin@PA-200>

This command can be run to cause the firewall to pull the new mappings since last time the process ran (delta).

If none of the above helps you resolve the issue, it would be great to do a packet capture between your PA and your LDAP server. Open the pcap in a program like WireShark and filter for ldap (type ldap in the filter and hit enter). Look for the ldap requests and ldap responses. Make sure that when you attempt to authenticate, the firewall sends an ldap request to the LDAP server. If it does not, make sure that your Device->Setup->Services->Service Route Configuration is set up correctly. If it does send a request, make sure it is correct, and that you get a valid response. In version 5.x or greater of PAN-OS, you can use tcpdump at the command line to capture this traffic - although, it is best if you scp export the pcap off the box and inspect it with a program like WireShark.

All that being said, please open a case with support if you continue to have trouble.

Good luck.

-chadd.

Re: LDAP and GlobalProtect

Retired Member — Wed, 11 Sep 2013 08:26:56 GMT

check your LDAP profile ,especially if you have typed netbios domain name correctly.

topic LDAP and GlobalProtect in General Topics

LDAP and GlobalProtect

Re: LDAP and GlobalProtect

Re: LDAP and GlobalProtect

Re: LDAP and GlobalProtect