Global protect users dont pass authentication

Radmin_85 — Wed, 04 Apr 2018 20:08:20 GMT

Hello all

we have PA in production.The problem is VPN users dont pass by certain authentication profile.The issue is that when we point user it is ok but when we point some group it fails to authenticate

we test through CLI and that is result

test authentication authentication-profile VPN_LDAP username eradmin password
Enter password :

Allow list check error:
Target vsys is not specified, user "eradmin" is assumed to be configured with
a shared auth profile.

Do allow list check before sending out authentication request...
User eradmin is not allowed with authentication profile VPN_LDAP

This eradmin user is the member of VPN-USERS group.When we point this user separately it is ok but inside the group it fail to authenticate

Model is 820

PAN OS- 8.0.7

Re: Global protect users dont pass authentication

BPry — Thu, 05 Apr 2018 13:38:47 GMT

@Radmin_85,

If you run the command as stated below, switching the info out with your group, does the firewall properly poll the group and display the requesting user?

show user group name cn=palo--lab-admin-users,ou=groups,ou=lab-enviroment,dc=lab,dc=root,dc=local

topic Re: Global protect users dont pass authentication in General Topics

Global protect users dont pass authentication

Re: Global protect users dont pass authentication