https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18524#M13528 <HTML><HEAD></HEAD><BODY><P>What is the authentication error you get?</P><P></P><P>Run the command: 'tail follow yes mp-log authd.log' and authenticate to the VPN. This output will give you the reason as to why the authentication fails.</P></BODY></HTML> Mon, 30 Apr 2012 23:29:00 GMT zarina 2012-04-30T23:29:00Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18523#M13527 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I have set up a SSL VPN on a PA-500 with Pan OS 4.0.7.</P><P></P><P>The problem is that I cannot log in with certain eDirectory users. I have checked those users are in the same group as the ones that work; that group is the one allowed to log in.</P><P></P><P>I would appreciate any help on this.</P><P></P><P>Regards</P><P>Emilio M.</P></BODY></HTML> Mon, 30 Apr 2012 10:36:35 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18523#M13527 emaneiro 2012-04-30T10:36:35Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18524#M13528 <HTML><HEAD></HEAD><BODY><P>What is the authentication error you get?</P><P></P><P>Run the command: 'tail follow yes mp-log authd.log' and authenticate to the VPN. This output will give you the reason as to why the authentication fails.</P></BODY></HTML> Mon, 30 Apr 2012 23:29:00 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18524#M13528 zarina 2012-04-30T23:29:00Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18525#M13529 <HTML><HEAD></HEAD><BODY><P>The output is</P><P></P><P>May 01 14:51:26 pan_authd_service_req(pan_authd.c:2454): Authd:Trying to remote authenticate user: PruebaVPN<BR />May 01 14:51:26 pan_authd_service_auth_req(pan_authd.c:1098): AUTH Request &lt;'vsys1','VPNSSL-Auth-Sequence','PruebaVPN'&gt;<BR />May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2146): VPNSSL-Auth-Sequence is an auth sequence<BR />May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2206): Trying auth profile #1 COA-Local in auth seq<BR />May 01 14:51:26 panauth:user &lt;PruebaVPN,COA-Local,vsys1&gt; is not allowed<BR />May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2206): Trying auth profile #2 COA-eDir-VPN-SSL in auth seq<BR />May 01 14:51:26 pan_authd_common_authenticate(pan_authd.c:1472): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:c:o:a-e:dir-:v:p:n-:s:s:l,username PruebaVPN<BR />May 01 14:51:29 pan_authd_authenticate_service(pan_authd.c:648): authentication failed (6)<BR />May 01 14:51:29 authentication failed for user &lt;vsys1,COA-eDir-VPN-SSL,PruebaVPN&gt;<BR />May 01 14:51:29 pan_authd_process_authresult(pan_authd.c:1241): pan_authd_process_authresult: PruebaVPN authresult not auth'ed<BR />May 01 14:51:29 Error: pan_authd_user_auth_failure_alarm_gen(pan_authd_localdb_utils.c:504): failed to prepare sql statement: select * from authseqdb where seqname=? and vsysname=?'<BR />May 01 14:51:29 pan_authd_process_authresult(pan_authd.c:1264): Alarm generation set to: False.<BR />May 01 14:51:29 User 'PruebaVPN' failed authentication.&nbsp; Reason: Invalid username/password From: 88.18.211.151.<BR />May 01 14:51:29 pan_get_system_cmd_output(pan_cfg_utils.c:3033): executing: /usr/local/bin/sdb -n -r cfg.operational-mode<BR />May 01 14:51:29 pan_authd_generate_system_log(pan_authd.c:827): CC Enabled=False<BR />May 01 14:51:29 pan_get_system_cmd_output(pan_cfg_utils.c:3033): executing: /usr/local/bin/sdb -n -r cfg.operational-mode</P><P></P><P></P><P>But I know the password for that user is correct and other users authenticate correctly</P><P></P><P>Any ideas?</P></BODY></HTML> Tue, 01 May 2012 12:57:33 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18525#M13529 emaneiro 2012-05-01T12:57:33Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18526#M13530 <HTML><HEAD></HEAD><BODY><P>It was an issue with user's password in Novell eDirectory. I finally debugged this with 'ndstrace' and 'ndslogin' in the eDirectory server.</P><P></P><P>Regards</P><P>Emilio M</P><P>Ingelan</P><P>Sevilla, Spain</P></BODY></HTML> Tue, 01 May 2012 14:19:03 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18526#M13530 emaneiro 2012-05-01T14:19:03Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18527#M13531 <HTML><HEAD></HEAD><BODY><P>Your log does indicate its an invalid username/pwd:</P><P></P><P>May 01 14:51:29 User 'PruebaVPN' failed authentication.&nbsp; Reason: Invalid username/password From: 88.18.211.151.</P></BODY></HTML> Tue, 01 May 2012 22:19:38 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18527#M13531 zarina 2012-05-01T22:19:38Z https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18528#M13532 <HTML><HEAD></HEAD><BODY><P>After debugging the same problem with another user the problem dissapeared when I changed the user name (CN in this case). I changed one uppercase letter to lowercase... ¡and it worked!</P><P></P><P>I even changed the user name back to the original value and kept working.</P><P></P><P>I don't know the reason but changing the user name solves this problem.</P><P></P><P>Regards</P><P>Emilio</P></BODY></HTML> Wed, 02 May 2012 14:51:31 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-authenticating-ssl-vpn-with-edirectory-users/m-p/18528#M13532 emaneiro 2012-05-02T14:51:31Z