GlobalProtect Client Using RADIUS Two Factor Authentication (2FA) not Hitting the Security Rule

GlobalProtect Client Using RADIUS Two Factor Authentication (2FA) not Hitting the Security Rule

44365
Created On 09/26/18 13:48 PM - Last Modified 06/16/23 18:26 PM


Resolution


Issue

The GlobalProtect client using RADIUS Two Factor Authentication (2FA) is not hitting the security rule with user/group-mapping configured.

 

Cause

Palo Alto Networks firewall user/group-mapping format understands a DOMAIN\USERNAME. If a GlobalProtect client authenticated using the RADIUS Server Profile without the domain field configured the DOMAIN part could be missing. The firewall does not have the knowledge of proper user to group mapping.

77777.png


Snapshot of RADIUS authentication profile

 

Resolution

Test the RADIUS Server Profile without the domain field configured by using the following CLI command:

> show global-protect-gateway current-user

 

GlobalProtect Gateway: GATEWAY2 (1 users)

Tunnel Name          : GATEWAY2-N

        Domain-User Name          : \user1     <<<<<===== MISSING DOMAIN NAME

        Computer                  : PALO-34E24R21H0

        Client                    :

        Mobile ID                 :

        Private IP                : 0.0.0.0

        Public IP                 : 10.129.31.105

        ESP                       : none

        SSL                       : none

        Login Time                : Sep.03 16:06:31

        Logout/Expiration         : Oct.03 16:06:31

        TTL                       : 2592000

        Inactivity TTL            : 10800

 

 

> show user ip-user-mapping all

 

 

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.112.2   vsys1  GP      user1                            2591997        2591997      <<<<<===== MISSING DOMAIN NAME

Total: 1 users

 

2014-09-03 16:06:28.761 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed

2014-09-03 16:06:28.762 +0800 Request received to unlock vsys1/LDAP_AUTH_PROF/sglab\user1

2014-09-03 16:06:28.763 +0800 User 'sglab\user1' authenticated.   From: 10.129.31.105.  <<<<<===== GP PORTAL LDAP AUTHENTICATION

2014-09-03 16:06:28.763 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-09-03 16:06:31.476 +0800 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: user1

2014-09-03 16:06:31.476 +0800 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','RAIDIUS1','user1'>

2014-09-03 16:06:31.480 +0800 authentication succeeded for user <vsys1,RAIDIUS1,user1>

2014-09-03 16:06:31.480 +0800 authentication succeeded for remote user <user1(orig:user1)>

2014-09-03 16:06:31.480 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: user1 authresult auth'ed

2014-09-03 16:06:31.480 +0800 Request received to unlock vsys1/RAIDIUS1/user1   <<<<<===== GP GATEWAY RADIUS AUTHENTICATION

2014-09-03 16:06:31.481 +0800 User 'user1' authenticated.   From: 10.129.31.105.

2014-09-03 16:06:31.481 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-09-03 16:06:31.483 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4444): localprofile sync triggered via sysd

2014-09-03 16:06:31.483 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4464): get local info for vsys1/RAIDIUS1

 

Without the domain name the username can be used on the security rule, provided that it is used without the DOMAIN part. Group-mapping will not work for the GlobalProtect authenticated user at this point.

Snapshot of the Security Policy List

 

Test with RADIUS Server Profile with the domain field configured:

     radius {

        RADIUS {

          server {

            RADIUS {

              secret -AQ==5en6G6MezRroT3XKqkdPOmY/BfQ=AdEd9ZFNsuxCvAJJtn2Y+A==;

              port 1812;

              ip-address 10.129.31.105;

            }

          }

          checkgroup no;

          domain sglab; <<<<<=====

 

  GlobalProtect Gateway: GATEWAY2 (1 users)

Tunnel Name          : GATEWAY2-N

        Domain-User Name          : sglab\user1 <<<<<===== CORRECT FORMAT DOMAIN/USERNAME

        Computer                  : PALO-34E24R21H0

        Client                    : Microsoft Windows Server 2003, Enterprise Edition Service Pack

        Mobile ID                 :

        Private IP                : 192.168.112.2

        Public IP                 : 10.129.31.105

        ESP                       : exist

        SSL                       : none

        Login Time                : Sep.03 15:53:06

        Logout/Expiration         : Oct.03 15:53:06

        TTL                       : 2591410

        Inactivity TTL            : 10210

 

 

> show user ip-user-mapping all

 

 

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.112.2   vsys1  GP      sglab\user1                      2591399        2591399      <<<<<===== CORRECT FORMAT DOMAIN/USERNAME

Total: 1 users

 

 

> tail follow yes mp-log authd.log

2014-09-03 15:53:03.173 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed

2014-09-03 15:53:03.173 +0800 Request received to unlock vsys1/LDAP_AUTH_PROF/sglab\user1

2014-09-03 15:53:03.174 +0800 User 'sglab\user1' authenticated.   From: 10.129.31.105.     <<<<<===== GP PORTAL LDAP AUTHENTICATION

2014-09-03 15:53:03.174 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-09-03 15:53:06.357 +0800 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: user1

2014-09-03 15:53:06.357 +0800 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','RAIDIUS1','user1'>

2014-09-03 15:53:06.361 +0800 authentication succeeded for user <vsys1,RAIDIUS1,sglab\user1>

2014-09-03 15:53:06.361 +0800 authentication succeeded for remote user <sglab\user1(orig:user1)>

2014-09-03 15:53:06.361 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed

2014-09-03 15:53:06.361 +0800 Request received to unlock vsys1/RAIDIUS1/sglab\user1  <<<<<===== GP GATEWAY RADIUS AUTHENTICATION

2014-09-03 15:53:06.362 +0800 User 'sglab\user1' authenticated.   From: 10.129.31.105.

2014-09-03 15:53:06.362 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-09-03 15:53:06.364 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4444): localprofile sync triggered via sysd

2014-09-03 15:53:06.364 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4464): get local info for vsys1/RAIDIUS1

 

Note: Since the Palo Alto Networks firewall is sending username authentication to the RADIUS Server in the format of DOMAIN\USERNAME, the RADIUS Server must be configured to understand receiving this format, otherwise authentication failure will occur.

 

With the domain name the username can be used on the security rule. User and group-mapping should now work properly, as shown below:

7777777.png

 

The same applies for the LDAP Server Profile; the domain field also needs to be configured in order for the Palo Alto Networks firewall to have the correct format of DOMAIN\USERNAME for GlobalProtect authenticated users:

77777777.png

 

owner: jlunario
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpJCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language