Global Protect + LDAP + Cert Auth = Auth Fail AND Auth Success

Reply
L4 Transporter

Global Protect + LDAP + Cert Auth = Auth Fail AND Auth Success

Is anyone else running this setup...

Global Protect VPN(iPads specifically) using LDAP(Active Directory) AND client certificate for authentication.

...if you are, have you noticed in the System logs, when a user authenticates to Global Protect the PA logs one or two Auth Fails followed by an Auth Success?

Our users are not noticing anything on their end, but looking at packet captures, it looks like the PA never sends the LDAP request for the first two Auth Fails, then finally sends it on the third Auth.

Currently on 5.0.11.  PA Support says to upgrade to 5.0.14, although I did not read anything in the release notes about this being fixed.

Tags (1)
L6 Presenter

Re: Global Protect + LDAP + Cert Auth = Auth Fail AND Auth Success

Hi Jambulo,

If you have seen packet capture, and verified firewall didnt send packets in first two attempts. Then its certainly a bug.

Before upgrade to 5.0.14, you should ask engineer for root cause. And also ask for bug which suggested upgrade to 5.0.14.

This will ensure, you will not have same issue after moving to 5.0.14.

Regards,

Hardik Shah

L7 Applicator

Re: Global Protect + LDAP + Cert Auth = Auth Fail AND Auth Success

I agree with Hardik.

If there is a bug that was fixed in 5.0.14 your support engineer should be able to give you the bug number and a reference in the release notes.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: Global Protect + LDAP + Cert Auth = Auth Fail AND Auth Success

Hi Jambulo

I have another idea.

How looks Your authentication sequence?

Is ther only one profile on profile list?

I observed similar logs entries when I have two profiles in one authentication sequence, so PAN tryed to authenticate on first profile and then on next one if was unable to authenticate on the first.

Please verify that

With regards

SLawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!