I tried support on this, didn't get much help. I am using PANOS 7.0 and GlobalProtect 2.2.1
I have a couple hundred GlobalProtect clients using Windows. I am using pre-logon (always on) with LDAP authentication. The goal is to have the GlobalProtect clients to stay connected to the gateway at all times, or keep trying to connect until a gateway becomes available.
The boxes auto-connect and auto-reconnect on their own 95% of the time. However, in an event where the LDAP servers go down (i.e. maintenance or interruption), the user is prompted for a password even though pre-logon is being used and the user has selected "Remember me" within the client. Please note, I am using certificates for pre-logon, but I can not use SSO.
I have included a screenshot of the issue. ANY HELP is appreciated.
Error on client:
If the LDAP server is down then how the firewall will authenticate. As the LDAP is down so authentication fails so firewall is asking for credentials again.
How about setting up multiple ldap servers for redundancy? This way you can reboot one or more and still retain functinality.
I am not sure if I understand what you mean by the firewall authenticating. If you are referring to the admin login for the firewall that uses local authentication, not LDAP.
What I am striving for is a truely "always on" solution. In my view, when pre-logon says "always on" it should never ask the clients for credentials when the authentication server is down.
Thanks for the reply. I appreciate the recommendation. We currently have two LDAP servers. We have seen a couple of situations where the communication between the LDAP server and the clients becomes interrupted for one reason or another.
I am wondering if there is some sort of registry setting for the Windows GP clients... something to supress the prompt?
pre-logon vpn is a partial vpn that would allow a user to load logon scripts etc while the workstation boots into normal operational mode. This access is granted with a decreased level of authentication.
Once the logon sequence completes the user will always be required to 'make himself known' by authenticating. the pre-logon vpn mode cannot be used while in normal windows 'desktop' mode.
To get around this you could try using an authentication sequence in the gateway configuration' authentication (instead of a single ldap profile) where two ldap profiles provide redundancy
That makes sense. I am wondering though why the client prompts for a password even though the client has checked off "remember me."
that may require a little more troubleshooting, you'll first want to figure out what is happening to the ldap exactly.
you could set up an wireshark on the ldap server or run a tcpdump on the firewall while testing a failed connection like this. maybe the ldap does respond to the authentication but in an unexpected way, making the Gateway reprompt the user for credentials because it thinks the authentication failed.
the user/pass prompt would typically appear if something like that happens or if the password is changed or expired. GP debug log may help shed some light on this as well
I point my ldap server at the root domain and not a single server, so it is setup as ldap server : corp.firm.local and it works without problems, the client querys whatever domain controller it can find.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!