topic PAN 4.1.1 Global Protect client and LDAP in General Topics

PAN 4.1.1 Global Protect client and LDAP

nicksampson — Thu, 19 Jan 2012 03:40:29 GMT

I am running 4.1.1 and I am having issues authenticating Global Protect 1.1.1 clients via AD. I know my LDAP server settings are correct as I can browse the workgroups in User-ID Group Mappings. Howver I can't browse these in the 'allow-list' in the authentication profile (the only option is the ALL default.

With AD I get 'invalid username & password' logs. I have tested connectivity succesfully using the local user database. Is anyone else experiencing this and have they found a fix?

Re: PAN 4.1.1 Global Protect client and LDAP

pandragon — Thu, 19 Jan 2012 13:18:27 GMT

During initial debugging, you may want to set "Update Interval" for "Group Mapping Settings" seen under "Device" tab - "User Identification". Click on the group mapping name and set "Update Interval" to something like 60 seconds (valid range is 60 to 86400 seconds).

Then connect to the firewall using CLI via SSH client. Few useful CLI commands can be tried as follows:

show user group-mapping state all

show user group-mapping statistics

In the output of above commands, check that "Number of Groups" is not zero. If it is zero, verify that you are not using * as wildcard under "Search Filter" field in Group Mapping configuration. For example, if you are searching for a group starting with words vpn do not enter search filter like "vpn*" but just enter "vpn".

Once the group mapping starts showing results, you can revert "Update Interval" to somewhat longer instaed of 60 seconds.

Hope this helps.

Re: PAN 4.1.1 Global Protect client and LDAP

nicksampson — Fri, 20 Jan 2012 03:43:56 GMT

This is all fine. User-ID querying to AD is fine but remote VPN access using AD returns 'invalid username/password'. I have setup an LDAP profile that calls on the same server as User-ID utilises so am at a loss as to why this is not working.

Re: PAN 4.1.1 Global Protect client and LDAP

pandragon — Fri, 20 Jan 2012 06:15:43 GMT

I think if user is not found by PA device in the group-name seen under "Allow List" then the system log will show "Authentication Failed: Invalid Username or Password". That may be misleading.If you set filter when viewing logs, as eventtype=GlobalProtect, then you might miss other log where eventtype=general.

If you do not set any filter, does the log also show event=auth-fail and description like "user xyz failed authentication. Reason: User is not in allowlist"? It may be something like attached screen sample.

Re: PAN 4.1.1 Global Protect client and LDAP

kamish — Sat, 21 Jan 2012 15:11:20 GMT

We have has GlobalProtect installed and working for nearly a year. As soon as we upgraded to 4.1.2 software and 1.1.1 GP client, it stopped working externally. When trying to connect it just gets hung up on "Connecting" and never get through to the Portal to authenticate. Reverted software to 4.0.5 and GP client to 1.0.5 and everything works as it should.

Re: PAN 4.1.1 Global Protect client and LDAP

kamish — Sat, 21 Jan 2012 15:13:19 GMT

One other thing to check...Have you checked that your panuid client is working properly?

Re: PAN 4.1.1 Global Protect client and LDAP

nicksampson — Thu, 02 Feb 2012 20:02:28 GMT

After speaking to PAN they advised not to use the Domain Users group in AD as this uses PrimaryGroupID and not sAMAccountName attribute. They suggested I create a new security policy i.e RemoteVPN and add AD users to this as required. This is now working.