PAN-200 and Active Directory - Part II

Reply
L3 Networker

PAN-200 and Active Directory - Part II

  • PAN-200 Software version: 6.0.1
  • GlobalProtect Agent: 2.0.4
  • New domain, built on Windows Server 2012 R2.

I'm missing _something_.   Setup as below and I cannot login with the domain name account to the VPN.  It's got to be one .. little .... thing.

Device - Setup - Services - Services Features: Service Route Configuration / Destination

  • Destination: <ip of domain controller>
  • Source Interface: Any
  • Source Address: 209.59.29.193/26

Device - Server Profiles - LDAP - created server profile 'Windstream-AD'

Server

  •   Name: tn-ad-01
  •   LDAP Server: <redacted IP>
  •   Port: 389

Unchecked SSL

Entered NetBIOS domain name

Type: Active Directory

Clicked the Base Drop down and voila: I got a base LDAP information, all filled in.

Entered  BIND DN and valid credentials.

Device - User Identification - Group Mapping Settings

Found the Server Profile 'Windstream-AD'

Click 'Group Include List'

and it found the list <netbiosname>\ns-vpnusers

And .. now what? Is there something else?  The two users in the group ns-vpnusers cannot login with their domain credentials.

Man - what am I missing?

bat
L5 Sessionator

Re: PAN-200 and Active Directory - Part II

bdunbar

Could you verify if the login attribute in the authentication profile is set to sAMAccountName ?

Also have you specified any users in the allow-list, I will first suggest you to try with "all" in allow-list

L6 Presenter
L3 Networker

Re: PAN-200 and Active Directory - Part II

Also have you specified any users in the allow-list,

Device - Authentication Profile

Name: Active Directory

Allow List: All

login attribute in the authentication profile is set to sAMAccountName ?


I don't see a login attribute there.  But in Device - User Identification - Group Mapping Settings ..

Name: Windstream AD

User Objects - user name 'sAMAccountName'


EDIT

Correction to the above - I put 'sAMAccountName' in  the auth profile 'login attribute'.  Committed. Same issue.

bat
L5 Sessionator

Re: PAN-200 and Active Directory - Part II

bdunbar

I am referring to this attribute:

sAMAccountName.JPG

L3 Networker

Re: PAN-200 and Active Directory - Part II

Yes, I realized my mistake (see edit).  I inserted that value there: no dice.

L4 Transporter

Re: PAN-200 and Active Directory - Part II

Hello,

Also make sure that you have set the user's AD account settings to allow the user to log onto "all computers" instead of the the "following computers".

Hope this helps.

Thanks

Tilak

bat
L5 Sessionator

Re: PAN-200 and Active Directory - Part II

Could you type following command on CLI:

tail follow yes mp-log authd.log

Now try to login through global protect and paste the output of above command here.

L3 Networker

Re: PAN-200 and Active Directory - Part II

Interesting: LOCAL_CP is one of three auth profiles on the device.  The others are

Keberos Auth - using this to login admin accounts authorized to Active Directory

Windstream Active Directory - this is my problem child, right now.

AD account is first.last

login as first.last

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar'>

2014-10-06 16:48:50.493 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,brian.dunbar>

2014-10-06 16:48:50.494 -0500 authentication failed for local user <brian.dunbar(orig:brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:48:50.494 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: brian.dunbar authresult not auth'ed

2014-10-06 16:48:50.510 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:48:50.510 -0500 User 'brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:48:50.510 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

login as netbios\first.last

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: corp-cicayda\brian.dunbar

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','corp-cicayda\brian.dunbar'>

2014-10-06 16:49:04.011 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:04.011 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:corp-cicayda\brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:49:04.011 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:04.021 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:04.021 -0500 User 'corp-cicayda\brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:04.021 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

login as first.last@post-windows-2000.domain

2014-10-06 16:49:21.859 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar@corp.cicayda.com

2014-10-06 16:49:21.860 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar@corp.cicayda.com'>

2014-10-06 16:49:21.869 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:21.869 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:brian.dunbar@corp.cicayda.com),LOCAL_GP,vsys1>

2014-10-06 16:49:21.869 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:21.881 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:21.881 -0500 User 'corp-cicayda\brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:21.881 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

EDIT

It looks like the problem is that vsys1 is associated with 'LOCAL_GP'.  So .. I need to define a new virtual system (vsys2?) and associate that with LDAP.

I'm skimming virtual systems docs - very slick. I'm liking PAN more, and more.  Once I get it working I might well fall in love with it ...

EDIT

Nope. I was wrong.  But looking to fix the above I made it right ...

Network - Global Protect  - Portals - edit ..

Authentication from 'GP_Portal' (what we had setup for local access prior to getting AD stood up) to 'Windstream Active Directory' aka the profile I setup for LDAP/AD.

And I'm in.  Groovy.  Thanks!

Highlighted
bat
L5 Sessionator

Re: PAN-200 and Active Directory - Part II

Could you also check the domain controller logs at the same time ? Also make sure the user has not been locked out due to multiple failure attempts.

Hope it helps !

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!