GlobalProtect Client Using RADIUS Two Factor Authentication (2FA) not Hitting the Security Rule
Resolution
Issue
The GlobalProtect client using RADIUS Two Factor Authentication (2FA) is not hitting the security rule with user/group-mapping configured.
Cause
Palo Alto Networks firewall user/group-mapping format understands a DOMAIN\USERNAME. If a GlobalProtect client authenticated using the RADIUS Server Profile without the domain field configured the DOMAIN part could be missing. The firewall does not have the knowledge of proper user to group mapping.
Resolution
Test the RADIUS Server Profile without the domain field configured by using the following CLI command:
> show global-protect-gateway current-user
GlobalProtect Gateway: GATEWAY2 (1 users)
Tunnel Name : GATEWAY2-N
Domain-User Name : \user1 <<<<<===== MISSING DOMAIN NAME
Computer : PALO-34E24R21H0
Client :
Mobile ID :
Private IP : 0.0.0.0
Public IP : 10.129.31.105
ESP : none
SSL : none
Login Time : Sep.03 16:06:31
Logout/Expiration : Oct.03 16:06:31
TTL : 2592000
Inactivity TTL : 10800
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
192.168.112.2 vsys1 GP user1 2591997 2591997 <<<<<===== MISSING DOMAIN NAME
Total: 1 users
2014-09-03 16:06:28.761 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed
2014-09-03 16:06:28.762 +0800 Request received to unlock vsys1/LDAP_AUTH_PROF/sglab\user1
2014-09-03 16:06:28.763 +0800 User 'sglab\user1' authenticated. From: 10.129.31.105. <<<<<===== GP PORTAL LDAP AUTHENTICATION
2014-09-03 16:06:28.763 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
2014-09-03 16:06:31.476 +0800 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: user1
2014-09-03 16:06:31.476 +0800 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','RAIDIUS1','user1'>
2014-09-03 16:06:31.480 +0800 authentication succeeded for user <vsys1,RAIDIUS1,user1>
2014-09-03 16:06:31.480 +0800 authentication succeeded for remote user <user1(orig:user1)>
2014-09-03 16:06:31.480 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: user1 authresult auth'ed
2014-09-03 16:06:31.480 +0800 Request received to unlock vsys1/RAIDIUS1/user1 <<<<<===== GP GATEWAY RADIUS AUTHENTICATION
2014-09-03 16:06:31.481 +0800 User 'user1' authenticated. From: 10.129.31.105.
2014-09-03 16:06:31.481 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
2014-09-03 16:06:31.483 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4444): localprofile sync triggered via sysd
2014-09-03 16:06:31.483 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4464): get local info for vsys1/RAIDIUS1
Without the domain name the username can be used on the security rule, provided that it is used without the DOMAIN part. Group-mapping will not work for the GlobalProtect authenticated user at this point.
Test with RADIUS Server Profile with the domain field configured:
radius {
RADIUS {
server {
RADIUS {
secret -AQ==5en6G6MezRroT3XKqkdPOmY/BfQ=AdEd9ZFNsuxCvAJJtn2Y+A==;
port 1812;
ip-address 10.129.31.105;
}
}
checkgroup no;
domain sglab; <<<<<=====
GlobalProtect Gateway: GATEWAY2 (1 users)
Tunnel Name : GATEWAY2-N
Domain-User Name : sglab\user1 <<<<<===== CORRECT FORMAT DOMAIN/USERNAME
Computer : PALO-34E24R21H0
Client : Microsoft Windows Server 2003, Enterprise Edition Service Pack
Mobile ID :
Private IP : 192.168.112.2
Public IP : 10.129.31.105
ESP : exist
SSL : none
Login Time : Sep.03 15:53:06
Logout/Expiration : Oct.03 15:53:06
TTL : 2591410
Inactivity TTL : 10210
> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
192.168.112.2 vsys1 GP sglab\user1 2591399 2591399 <<<<<===== CORRECT FORMAT DOMAIN/USERNAME
Total: 1 users
> tail follow yes mp-log authd.log
2014-09-03 15:53:03.173 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed
2014-09-03 15:53:03.173 +0800 Request received to unlock vsys1/LDAP_AUTH_PROF/sglab\user1
2014-09-03 15:53:03.174 +0800 User 'sglab\user1' authenticated. From: 10.129.31.105. <<<<<===== GP PORTAL LDAP AUTHENTICATION
2014-09-03 15:53:03.174 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
2014-09-03 15:53:06.357 +0800 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: user1
2014-09-03 15:53:06.357 +0800 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','RAIDIUS1','user1'>
2014-09-03 15:53:06.361 +0800 authentication succeeded for user <vsys1,RAIDIUS1,sglab\user1>
2014-09-03 15:53:06.361 +0800 authentication succeeded for remote user <sglab\user1(orig:user1)>
2014-09-03 15:53:06.361 +0800 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: sglab\user1 authresult auth'ed
2014-09-03 15:53:06.361 +0800 Request received to unlock vsys1/RAIDIUS1/sglab\user1 <<<<<===== GP GATEWAY RADIUS AUTHENTICATION
2014-09-03 15:53:06.362 +0800 User 'sglab\user1' authenticated. From: 10.129.31.105.
2014-09-03 15:53:06.362 +0800 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
2014-09-03 15:53:06.364 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4444): localprofile sync triggered via sysd
2014-09-03 15:53:06.364 +0800 debug: authd_sysd_localprofile_callback(pan_authd.c:4464): get local info for vsys1/RAIDIUS1
Note: Since the Palo Alto Networks firewall is sending username authentication to the RADIUS Server in the format of DOMAIN\USERNAME, the RADIUS Server must be configured to understand receiving this format, otherwise authentication failure will occur.
With the domain name the username can be used on the security rule. User and group-mapping should now work properly, as shown below:
The same applies for the LDAP Server Profile; the domain field also needs to be configured in order for the Palo Alto Networks firewall to have the correct format of DOMAIN\USERNAME for GlobalProtect authenticated users:
owner: jlunario