This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LDAP and GlobalProtect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP and GlobalProtect

klumpen
L1 Bithead

‎09-09-2013 04:40 AM

Hi,

I am trying to set up Globalprotect.

Would like to restrict the user to a group, but I can not get this to work.

In Authentication profile i have the VPN-group in allow list.

When I logon with a user in this group the log tell me that i have incorrect username or password.

Have also included the group under "group mapping setting".

Have tried the different settings under Global Protect as well.

Anyone know how to solve this problem?

I do not have the licens for Global Protect.

0 Likes Likes
3 REPLIES 3

UhMayYeah
L5 Sessionator

‎09-09-2013 05:08 AM

Does authentication work w/o Allow list i.e with all groups.

What's the format used for Authentication, It should be simply username and not domain\username.

Check if you have configured Auth Profile correctly.

I always miss Login attribute : sAMAccountName

cchristiansen
L3 Networker

‎09-09-2013 06:32 PM

Here are a few things you can check at the command line.

First check to make sure the group in question is recognized by the firewall:

admin@PA-200> show user group list

cn=vpn-users,ou=groups,dc=panlab,dc=local

Total: 1

admin@PA-200>

Next, make sure the user you are trying to authenticate with is in that group:

admin@PA-200> show user group name "cn=vpn-users,ou=groups,dc=panlab,dc=local"

source type: service

source:      panlab-389LDAP

[1     ] panlab.local\chadd

admin@PA-200>

As you can see in the output of the last command, domain\user is what the firewall is looking for. 

The important parts of the configuration for groups to work correctly are as follows:

Device->LDAP->your-ldap-profile:

If your LDAP server requires the domain\user login method, you can configure the domain in your profile.  If not, then leave that field blank (try it both ways).

Device->User Identification->Group Mapping Settings->Server Profile->your-group-mapping-profile:

In 4.1 and later the firewall does the group mapping, so this is where you configure that.  Make sure that these settings match your LDAP install.

Device->User Identification->Group Mapping Settings->Group Include List:

This is an LDAP filter.  This is used to restrict the LDAP search to these groups.  It is different than the allow list in your authentication profile - this is a filter, not an ACL.  That being said, if you filter out the group you are trying to authenticating to, it obviously won't work.

Some things you need to be aware of:

There is a delay between the time you add/remove a user to/from a group and when the authentication works.  You can speed up the process by using the following commands:

admin@PA-200> debug user-id reset group-mapping

  all                        all     

  panlab-389LDAP   panlab-389LDAP

  <value>          group mapping to reset

This command is helpful if you want to get the groups to clear from the firewall and have them rediscovered.

admin@PA-200> debug user-id refresh group-mapping all

admin@PA-200>

This command can be run to cause the firewall to pull the new mappings since last time the process ran (delta).

If none of the above helps you resolve the issue, it would be great to do a packet capture between your PA and your LDAP server.  Open the pcap in a program like WireShark and filter for ldap (type ldap in the filter and hit enter).  Look for the ldap requests and ldap responses.  Make sure that when you attempt to authenticate, the firewall sends an ldap request to the LDAP server.  If it does not, make sure that your Device->Setup->Services->Service Route Configuration is set up correctly.  If it does send a request, make sure it is correct, and that you get a valid response.  In version 5.x or greater of PAN-OS, you can use tcpdump at the command line to capture this traffic - although, it is best if you scp export the pcap off the box and inspect it with a program like WireShark.

All that being said, please open a case with support if you continue to have trouble.

Good luck.

-chadd.

panos
L6 Presenter

‎09-11-2013 01:26 AM

check your LDAP profile ,especially if you have typed netbios domain name correctly.

0 Likes Likes
  • 3348 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks