topic Re: GlobalProtect not using AD group in General Topics

GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 12:58:15 GMT

Hi,

I am running a PA-VM on AWS. It has two interfaces, one for management, one for data.

I have created an LDAP connection to our network and can log into GP using my AD credentials. So far, so good.

I need to have separation of users and assigned IPs based on group membership. I have an authentication profile with two sequences. One to match on the group that my account is a member of, the second uses local authentication.

In the GP gateway, I have the authentication set to the auth sequence (which uses the first authentication profile - the one that should match my account and group set first), and in the agent client settings, I have two entries. the first one should give me an IP address from the first range, the second entry is set to any/any and gives an IP from a different range.

When I connect, I use my username/password from AD but get an IP address from the second range.

The logs show these entries (note I have replaced the actual AD details):

1,2017/09/12 05:48:17,4E0FEDAE31E65C2,31,0x0,USERID,login,53,2017/09/12 05:48:17,0,0,0,0,,PA-VM,1,vsys1,10.7.2.10,xx\sfordham,,0,1,2592000,0,0,vpn-client,globalprotect,0,0,,2017/09/12 05:48:18,1

admin@PA-VM> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : CN=xxx,OU=xxx xxx - Shared,DC=XX,DC=xxx
Base : DC=XX,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 1607 secs ago(took 0 secs)
Next Action Time: In 1993 secs
Number of Groups: 1
cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx

admin@PA-VM>

admin@PA-VM> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.7.2.10 vsys1 GP xx\sfordham 2591689 2591689
Total: 1 users

admin@PA-VM>

From what I have read, GP in the above command *should* be AD

admin@PA-VM> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
xx.xxx\sfordham vsys1 cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx
Total: 22
admin@PA-VM>

So it looks like it is reading all of the necessary details - I can log in using my AD account, for example - it's just the mapping that's incorrect.

Can anyone advise?

Apologies if I have missed something blindingly obvious. I only started working with PA last week, so am learning as I go!

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 13:38:24 GMT

firstly, check the monitor\system log to ensure you are authenticating as domain\user name to both the portal and gateway.

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 13:40:38 GMT

sorry, cancel the above....

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 13:43:23 GMT

Ok, cancelling... but here are the logs just in case...

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 13:57:35 GMT

could you confirm that under network/gateways/(gateway name)/agent that you have 2 configs.

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 13:58:18 GMT

oops.. missed off /client settings

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 14:01:17 GMT

Check! both are there, and I am getting an IP address from the Corp pool - not the first pool as I would like...

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 14:09:35 GMT

open up your first config and add another user, start typing sford and see if your name auto appears

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 14:14:21 GMT

That works:

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 14:17:04 GMT

could you provide print screen of ldap auth profile

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 14:20:19 GMT

I this what you mean?

there are no settings under "Factors"

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 14:30:08 GMT

ok i'm not so good with domain names, we do not have a something.local in our domain name. just a single entry.

hopefully someone else will jump in with more domain experience but could you just post device/user id/group mapping settings/(name)/server profile.

also.. under the gateway client settings, just enter your name manually without domain info. and test.

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 14:41:08 GMT

The only difference I can see is that the domain is uppercase here - but I can drill into it and select the group, so I think this is probably not causing an issue.

I added myself as a new entry as you suggested:

However, I still get an IP address from the 10.7.2. range.

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 14:45:01 GMT

you have added yourself with domain info. dont select yourself from the list, just type it in and ignore name in list. just click whitespace and it will stick.

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 14:58:51 GMT

Tried that, it just shows sfordham, but I still jump down to the Corp entry.

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 15:05:12 GMT

OK I is miffed, all the above works for me, i may be ciutching at straws but it could be worth changing your corp pool to a different subnet, I know user IP's are cached per user but not sure if this applies to different agent configs.

Re: GlobalProtect not using AD group

StuartFordham — Tue, 12 Sep 2017 15:36:33 GMT

Me too Mick!

So, I created a new AD group - first checking that spaces in OUs are OK (https://live.paloaltonetworks.com/t5/Management-Articles/Usernames-Not-Retrieved-by-the-Firewall-with-OU-for-LDAP-Server/ta-p/59174) and added my user to that - also the other group was a distribution group, new group is a security group (just in case).

Edited the config to use the new group.

Changed the pool for Corp to 10.7.3.10-10.7.3.200.

Reconnected to the VPN - now getting a 10.7.3.10 address.

ever feel like you are going round in circles? 🙂

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 15:57:25 GMT

i dont think this is an issue with OU's as your name was retrieved when you started to type it in.

lets not give up hope as there are some clever peeps out there that have bailed me out on many occasions, and it's still quite a fresh call.

here are a number of things i would try, just for diags.

1, in your ldap profile and in your group id settings. just change the domain field to "test", commit, and then remove your name from the gateway config and add it again. it should auto populate under the domain "test" regardless of the real domain name.

try to connect again...

2, with the above still in place, clone your portal agent config, move it to the top and add your name here also.

i like to do this in the portal as the monitor/system tab shows you what portal config is being used, it does not seem to show this in the logs for gateway configs.

by the time you have done this, someone will jump in and make us both look stupid....

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 15:59:09 GMT

also, are you on V8.x

Re: GlobalProtect not using AD group

Mick_Ball — Tue, 12 Sep 2017 17:09:09 GMT

hmm... forget option 1. tried again and didn't work second time....

perhaps just change the domain name to the bit that you hace squiggled out. omitting .local.