topic Re: Authentication issue with Global Protect in General Topics

Authentication issue with Global Protect

FarzanaMustafa — Wed, 24 Feb 2021 02:37:40 GMT

We are having difficulty with our Active/Passive pair of PA_820’s where they are setup to allow auth to GlobalProtect based on AD group membership.

If we create a new OU in AD and move a user to the newly created AD OU whilst still having the same group membership, they can no longer auth to connect to global protect from internal nor external networks.

If we then move them back to the original OU, auth works again.

We have tried the reset, refresh and clear commands (debug user-id reset group-mapping all, debug user-id refresh group-mapping all, clear user-cache all)

We have also tried to drop the bind one level down. Any further ideas how to resolve this?

PANOS version – 9.1.3

GlobalProtect version – 5.1.1

Re: Authentication issue with Global Protect

BPry — Wed, 24 Feb 2021 04:41:06 GMT

@FarzanaMustafa,

So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction.

Re: Authentication issue with Global Protect

Mick_Ball — Wed, 24 Feb 2021 07:03:13 GMT

Perhaps i have not read this correctly but you mention multiple groups.. yet you only have one group included in your screen shot. Are we talking nested groups here?

Re: Authentication issue with Global Protect

FarzanaMustafa — Wed, 03 Mar 2021 01:39:10 GMT

Thank you @Mick_Ball and @BPry

Strangely, VPN group is working fine after clearing cache.

No nested groups in use.