topic Re: authenticate with domain\username in Global Protect in General Topics

authenticate with domain\username in Global Protect

big_Gilo — Wed, 06 Sep 2017 12:58:38 GMT

Hi Guys,

i have set the authentication Profile (username Modifier) to %USERDOMAIN%\%USERINPUT%

because i want all user currently using GP to add thei domain as well not just the username.

the Profil has been added to the GP authentication section.

but everytime i just get failed authentication from these users.

but the second authentication profil is accepting only the %USERINPUT% as input. Meaning all users on the second profil are able to authenticate without any problem.

both Profile are using the same GP settings (configured on the same GP)

did i in my config miss anything ?

i would deeply appreciate if someone could provide me with some hints.

cheers,

Gilo

Re: authenticate with domain\username in Global Protect

Ben-W — Wed, 06 Sep 2017 13:18:09 GMT

Hi Gilo,

Bit of a stab in the dark and maybe one of the others can help more however for a quick check/test:

Have you checked the logs on the DC to see what was being sent through from the Palo when it fails, i'm thinking maybe you have added a domain within the domain field (either within the LDAP profile or the Authentication profile depending which PAN-OS version you are using) which would append the domain entry,. Remove the domain entry and retest.

Also you can tail the logs on the Palo to maybe gain some more insight, > tail follow yes mp-log authd.log

Again this is a true stab in the dark and hopefully the others can provide additional assistance.

Re: authenticate with domain\username in Global Protect

Mick_Ball — Thu, 07 Sep 2017 07:57:18 GMT

using the %USERDOMAIN%\%USERINPUT% option will remove any "domain\" entered by the user and use the domain info in the "user domain" field of the authentication profile.

if you do not have a "user domain" entry in the profile then the palo alto will attempt to resolve the domain name via group mapping.

Re: authenticate with domain\username in Global Protect

big_Gilo — Thu, 07 Sep 2017 12:32:20 GMT

@Mick_Ball , @Ben-W thank you very much for the hints. your ideas really helped me out.

i have solved the Problem. what i had before was as follow:

- on GP --> Client Auth, i had both Profile ( Auth Profil A und Auth Profil B)

1-Profil A= only with username

2-Profil B= with domain and username (here i do not have a domain in the Uer Domain ( i removed it ) )

so every time the client on Profil B tried to sign in, GP only hit the 1st profil (Profil A)

user on A were able to log in without any problem.

So, i just created one Authentication Sequence Profil X = A and B

and on GP --> Client Auth i just added the Auth Seq X . Then I worked as i wanted

on the Auth Seq it checked the first Auth Profil does not get a hit then moves to the next Auth Profil.

what i find a weird is taht why on GP --> Client Auth tab, you have the Option to add several Profil for authentication but instead of checking all the profil in that list it just hits the first Profil and does not check other profil.

Re: authenticate with domain\username in Global Protect

Mick_Ball — Thu, 07 Sep 2017 12:38:08 GMT

for GP to check all authentication profiles you need to add them to an "authentication order" and then add the "authentication order" to the client auth tab.

Re: authenticate with domain\username in Global Protect

big_Gilo — Fri, 08 Sep 2017 04:29:25 GMT

@Mick_Ball Thx a lot

well, that is what i did ( i guess by Auth Order you means the Auth Sequence)

but my point is that on the Client Auth, you have the possibility to add several profile. Something i tested by adding several Profile But everytime only the first profil currently on the top of the list was being checked the other below was not.

As you said that worked quite well. i defined a new Auth Seq then i added all other Profile into it.

later added the newly created Auth Seq to GP.

Re: authenticate with domain\username in Global Protect

Mick_Ball — Fri, 08 Sep 2017 07:33:10 GMT

sorry, yes "sequence"

the auth profile on the portal config has always been a gripe of mine. seems to work OK for different OS option but i was also never able to try all profiles for the same OS. i suppose this makes sense but the help file does suggest that you can have multiple auths profiles for the same OS.

It may work in the same way as the setup within Device\Authentication Profile. this will only try the next option if the auth server does not respond.

so... now they have added "Authentication Sequence" all is good.