topic Re: PAN-200 and Active Directory - Part II in General Topics

PAN-200 and Active Directory - Part II

bdunbar — Mon, 06 Oct 2014 21:13:28 GMT

PAN-200 Software version: 6.0.1
GlobalProtect Agent: 2.0.4
New domain, built on Windows Server 2012 R2.

I'm missing _something_. Setup as below and I cannot login with the domain name account to the VPN. It's got to be one .. little .... thing.

Device - Setup - Services - Services Features: Service Route Configuration / Destination

Destination: <ip of domain controller>
Source Interface: Any
Source Address: 209.59.29.193/26

Device - Server Profiles - LDAP - created server profile 'Windstream-AD'

Server

Name: tn-ad-01
LDAP Server: <redacted IP>
Port: 389

Unchecked SSL

Entered NetBIOS domain name

Type: Active Directory

Clicked the Base Drop down and voila: I got a base LDAP information, all filled in.

Entered BIND DN and valid credentials.

Device - User Identification - Group Mapping Settings

Found the Server Profile 'Windstream-AD'

Click 'Group Include List'

and it found the list <netbiosname>\ns-vpnusers

And .. now what? Is there something else? The two users in the group ns-vpnusers cannot login with their domain credentials.

Man - what am I missing?

Re: PAN-200 and Active Directory - Part II

bat — Mon, 06 Oct 2014 21:15:15 GMT

bdunbar

Could you verify if the login attribute in the authentication profile is set to sAMAccountName ?

Also have you specified any users in the allow-list, I will first suggest you to try with "all" in allow-list

Re: PAN-200 and Active Directory - Part II

Retired Member — Mon, 06 Oct 2014 21:22:41 GMT

How to Troubleshoot LDAP Authentication

How to Configure Active Directory Server Profile for Group Mapping and Authentication

https://live.paloaltonetworks.com/docs/DOC-2961

will be helpful

Re: PAN-200 and Active Directory - Part II

bdunbar — Mon, 06 Oct 2014 21:26:56 GMT

Also have you specified any users in the allow-list,

Device - Authentication Profile

Name: Active Directory

Allow List: All

login attribute in the authentication profile is set to sAMAccountName ?

I don't see a login attribute there. But in Device - User Identification - Group Mapping Settings ..

Name: Windstream AD

User Objects - user name 'sAMAccountName'

EDIT

Correction to the above - I put 'sAMAccountName' in the auth profile 'login attribute'. Committed. Same issue.

Re: PAN-200 and Active Directory - Part II

bat — Mon, 06 Oct 2014 21:32:41 GMT

bdunbar

I am referring to this attribute:

Re: PAN-200 and Active Directory - Part II

bdunbar — Mon, 06 Oct 2014 21:35:06 GMT

Yes, I realized my mistake (see edit). I inserted that value there: no dice.

Re: PAN-200 and Active Directory - Part II

tshiv — Mon, 06 Oct 2014 21:39:18 GMT

Hello,

Also make sure that you have set the user's AD account settings to allow the user to log onto "all computers" instead of the the "following computers".

Hope this helps.

Thanks

Tilak

Re: PAN-200 and Active Directory - Part II

bat — Mon, 06 Oct 2014 21:40:25 GMT

Could you type following command on CLI:

tail follow yes mp-log authd.log

Now try to login through global protect and paste the output of above command here.

Re: PAN-200 and Active Directory - Part II

bdunbar — Mon, 06 Oct 2014 21:51:55 GMT

Interesting: LOCAL_CP is one of three auth profiles on the device. The others are

Keberos Auth - using this to login admin accounts authorized to Active Directory

Windstream Active Directory - this is my problem child, right now.

AD account is first.last

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar'>

2014-10-06 16:48:50.493 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,brian.dunbar>

2014-10-06 16:48:50.494 -0500 authentication failed for local user <brian.dunbar(orig:brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:48:50.494 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: brian.dunbar authresult not auth'ed

2014-10-06 16:48:50.510 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:48:50.510 -0500 User 'brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:48:50.510 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: corp-cicayda\brian.dunbar

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','corp-cicayda\brian.dunbar'>

2014-10-06 16:49:04.011 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:04.011 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:corp-cicayda\brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:49:04.011 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:04.021 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:04.021 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:04.021 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-10-06 16:49:21.859 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar@corp.cicayda.com

2014-10-06 16:49:21.860 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar@corp.cicayda.com'>

2014-10-06 16:49:21.869 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:21.869 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:brian.dunbar@corp.cicayda.com),LOCAL_GP,vsys1>

2014-10-06 16:49:21.869 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:21.881 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:21.881 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:21.881 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

EDIT

It looks like the problem is that vsys1 is associated with 'LOCAL_GP'. So .. I need to define a new virtual system (vsys2?) and associate that with LDAP.

I'm skimming virtual systems docs - very slick. I'm liking PAN more, and more. Once I get it working I might well fall in love with it ...

EDIT

Nope. I was wrong. But looking to fix the above I made it right ...

Network - Global Protect - Portals - edit ..

Authentication from 'GP_Portal' (what we had setup for local access prior to getting AD stood up) to 'Windstream Active Directory' aka the profile I setup for LDAP/AD.

And I'm in. Groovy. Thanks!

Re: PAN-200 and Active Directory - Part II

bat — Mon, 06 Oct 2014 22:09:30 GMT

Could you also check the domain controller logs at the same time ? Also make sure the user has not been locked out due to multiple failure attempts.

Hope it helps !