topic Global protect authentication LDAP not working fine in General Topics

Global protect authentication LDAP not working fine

soporteseguridad — Thu, 11 Aug 2016 07:48:20 GMT

Hi, we have GlobalProtect configured using a LDAP group for authentication in the VPN "cn=groupvpnusers,ou=_generic_groups,dc=it,dc=xxxx,dc=local"

When we commit this new config using vpn group in Auth profile, the GP authenticacion is working fine but 2-3 hours later it starts to fail and we get this error in all users in this group "failed authentication. Reason: User is not in allowlist".

To solve it we need to configure all in the "Auth profile" in order to work again. We dont know why if we use a group in Auth profile the PA is working fine only 2-3 hours. ¿any timeout mapping?¿any refresh?

PanOS is 6.0.12

This is the useridd.log after 2 hours using ldap groups for auth VPN:

2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:18:18.045 +0200 panauth:user <it.xxxxxx.local\paloaltovpntest,LDAP_USER_VPN_FR-1-1,vsys1> is not allowed
2016-08-03 13:18:18.045 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxx.local\paloaltovpntest authresult not auth'ed
2016-08-03 13:18:18.054 +0200 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2016-08-03 13:18:18.054 +0200 User 'it.xxxxxx.local\paloaltovpntest' failed authentication. Reason: User is not in allowlist From: 88.3.65.25
2016-08-03 13:18:18.054 +0200 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

This is when its working (in this case using all in auth profile not ldap group)

2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:24:56.098 +0200 debug: pan_authd_common_authenticate(pan_authd.c:1654): Authenticating user using
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:629): authentication succeeded (0)
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:635): account is valid
2016-08-03 13:24:56.125 +0200 authentication succeeded for user <vsys1,LDAP_USER_VPN_FR-1-1,it.xxxxxx..local\paloaltovpntest>
2016-08-03 13:24:56.125 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxxx..local\paloaltovpntest authresult auth'ed
2016-08-03 13:24:56.126 +0200 Request received to unlock vsys1/LDAP_USER_VPN_FR-1-1/it.xxxxxx.local\paloaltovpntest
2016-08-03 13:24:56.131 +0200 User 'it.xxxxxxx.local\paloaltovpntest' authenticated. From: 85..x.x.x

Re: Global protect authentication LDAP not working fine

BPry — Wed, 03 Aug 2016 13:38:32 GMT

I'm sure the answer is yes but just to be sure, there is the allow list on the Authentification Profile and the actual GlobalProtect Portals, is the user group allowed on both of these?

*As a side note their is a known issue on older versions of the software where authentification issues would take place if the firewall was running for more than a 1 year time period without being shutdown. I would start with seeing if that fixes your issues if you are in an enviroment where you can schedule a restart in a resonable amount of time.

Re: Global protect authentication LDAP not working fine

soporteseguridad — Wed, 03 Aug 2016 13:43:22 GMT

Yes, the users are on this allowed group. When we commit it, its working but 2-3 hours later not 😞

Uptime 188 days, 13:37:57. Itos not very long this uptime right??? is there any bug id for this??

Re: Global protect authentication LDAP not working fine

soporteseguridad — Thu, 04 Aug 2016 09:21:55 GMT

Any idea???

Re: Global protect authentication LDAP not working fine

bmorris1 — Thu, 04 Aug 2016 10:59:34 GMT

Looks like a possible typo in the domain field

'it.xxxxxxx..local\paloaltovpntest'

xxx..local

should this be .local? Or just it.xxxx\paloaltovpntest , removing the .local?

Ben

Re: Global protect authentication LDAP not working fine

soporteseguridad — Thu, 04 Aug 2016 11:06:10 GMT

I think the config is OK because thisis working fine but 2-3 hours later stop authenticating.

Doing a debug we see this event and after stops authenticating fine.

2016-08-03 12:18:46.906 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4349): will update vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here using file /opt/pancfg/mgmt/global/groups/1/Y249Z2dmcnBhbG9hbHRvcmFzdnBuLG91PV9nZW5lcmljX2dyb3VwcyxkYz1mcixkYz1zZWN1cml0YXNkaXJlY3QsZGM9bG9jYWw=.xml

2016-08-03 12:18:51.509 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4363): done updating vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here

Its like after doing the refresh stop working but nothing was changed in LDAP or PA.