GlobalProtect Login Fails When Using a Group in the Allow List

Printer Friendly Page

Issue

When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"

 

However, the login works fine if the allow list is set to "all" in the authentication profile.

 

Resolution

  1. Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings:
    Group Mapping.pngGroup Mapping

  2. Confirm that the group in question contains the user attempting to login.
    Run the CLI command: show user group name <value>

    For example:
    > show user group name pantac\vpn-user
    short name:  pantac\vpn-user

    source type: ldap
    source:      Pantac2003

    [1     ] pantac\user1
    [2     ] pantac\admin1
    [3     ] pantac\administrator
    [4     ] pantac\user2
    [5     ] pantac\user4

  3. Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases.

    The LDAP server profile is under Device > Server Profiles > LDAP
    LDAP server account.png
    In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings : User Domain.pngUser Domain 
    In PAN-OS 8.0 the User Domain can also be controlled in the Authentication ProfileAuthentication Profile.pngUser Domain in the Authentication Profile
  4. Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command.
    Authentication Allow List.pngAuthentication Profile Allow List

 

owner: jteestel

Comments

Dear Sir,

If we have multi domains deployed, and need to use universal group for all allowed sslvpn user that distributed on different domains, how to setup Netbios domain name (short name) in the domain field of ldap profile?  like the example step3 above.

Thanks.

Joy Liu

There is no longer a domain field in ldap profiles (in 7.1 at least)

The domain field is there under Group mapping tab, user-Id >group mapping>server profile>user domain from 7.0 onwards

 

In 7.0 & 7.1, the User Domain is here, Device -> Authentication Profile -> Authentication -> User Domain.

I met the same issue in 7.1.1. and added the domain name (in my case, it's acme) to the Authentication Profile.

I tested, and it's OK.

 

This article is very important to the people who config the group list to GP.

Plz mark it. 

 

Just to add my own findings to this post.  Do note I am using PAN-OS 7.0.xx and I am also using the authentication attribute of "userPrincipalName" instead of the default of "sAMAccountName".

 

On the group-mapping screen, adding a "User Domain" entry (see screenshot below) causes that same value to be populated for all of the given members of the group name, as listed by the CLI (see screenshot below).

 

ACME-Authentication_GroupMapping.pngACME-Authentication_GroupMappingListingCLI.png

Do note, that this *EXACT* "User Domain" value must be added to the "Authentication Profile" as well (see screenshot below), otherwise you will receive a slew of: "failed authentication for user < PERTINENT USER. Reason: User is not in allowlist auth profile" errors.  

ACME-Authentication_AuthenticationProfile.png

---

 

Additionally, in my particular configuration instance, the authentication portion refused to work when defining a "User Domain" value in my group mappings.  Instead, I left the "User Domain" value blank (see screenshot).

ACME-Authentication_GroupMapping_DEFAULT.png

 

From there, I proceeded to list the group in the CLI, to see which *DEFAULT* "User Domain" value was being picked up by the PAN device (see screenshot below):

 

ACME-Authentication_GroupMappingListingCLI-DEFAULT.pngAnd from there, I just made sure to match the same *EXACT* "User Domain" value in the "Authentication Profile" (see screenshot):

ACME-Authentication_AuthenticationProfile-DEFAULT.png

 

This worked like a charm.  Do note that because I am using "userPrincipalName" as my authentication attribute, my users still had to use: jon.snow@acme.com for their login.  However, I was quick to set the "Username Modifier" in the "Authentication Profile" to: "%USERINPUT%@%USERDOMAIN%" and that allowed my users to just log in with the following instead: jon.snow with no need for the domain name.  

Hope this helps someone out.

 

Hi, Settings from rhermida's post worked for me. PAN OS 7.1.2

Thanks guys

Same here, I had to do my setup identical to @rhermida in order for it to work. I could not get it work using sAMAccountName. I'm running PAN-OS 7.0.6

I'm getting a "invalid username" when I try and click the dropdown arrow from step 1. Would this mean I need to change the password in AD for the Palo admin?

 

Thanks

Shawn

fencepencil

I am having this exact issue under PanOS 8.0.6. The support ticket has been open for days and everyone is stumped. Is anyone sucessfully using this configuration in PanOS 8.0.x?

@fencepencil a failure in step1 usually means something is wrong sith the settings in step3: maybe there's a typo in the password or the bindDN username is incorrect, or SSL is checked while the AD does not support ssl for example

 

@BillThompson are you connecting to a traditional active directory and is the porofile reflecting this (server set to activedir), are your login attributes set to sAMAccountName in the profile and group mapping and did you fill out the FQDN domain (domain.com instead of the netbios 'domain') ?

@reaper Yes it is a traditional AD system with LDAP server profile type set to "active-diretory". The login attribute in the profile and group mapping is set for "sAMAccountName". I have tried the "user domain" configuration with the FQDN, the netbios domain, and set as blank to retrive the domain from the server. I have also tried al variations of the "username modifier". None of these configurations have worked.

 

I did reconfigure the login attribute to use "userPrincipalName" as @rhermida had suggested, but that did not resolve the issue.

 

All groups and users appear properly on the CLI when running "show user group list" and "show user group name <LDAP path to group>" If the auth profile allow list is set to "all", authentication succeeds through the AD server.

FYI-

Found out today that PanOS 8.0.x has a bug with the CLI command "test authentication authentication-profile" that causes the test to fail if a group is listed in the authentication profile allow list. I have been using that command exclusivly to test my configuration. I will re-test the configurations described by @reaper and @rhermida to verify that this CLI bug was the cause of my testing failures and report back.

I have confirmed that the instructions @reaper posted work with PanOS 8.0.6. when using sAMAccountName for the user login. On my system, the User Domain field needed to be set as the Netbios name in both the User Identification > Group Mapping settings  and the Authentication Profile in order for authentication to succeed. Tested with the GP client, NOT the CLI test command.

thanks for confirming @BillThompson !

 Does anyone know if the bug with "test authentication" has been solved or when it's planned to be solved?

Hi @PerTenggren

 

Palo Alto Networks bugs are marked with 'PAN-xxxxx' where x are numbers

If you do not know, this number you can search through the release notes to see if what you are looking for has been marked as adressed or marked as 'known issue'. If you can't find what you are looking for, it is best to reach out to support to get a solid answer to your question

 

Hi @reaper and thanks for reply, the reason why I asked is that I can’t find and bugs in 8.0.x related to the test authentication issue even if I can confirm it :-)

hi @PerTenggren

Then your best course of action is to reach out to support as they will be able to assist you with this issue

I have a support ticket logged for this at the moment - customer alerted me to it (8.1.0) and I replicated it in my lab (8.0.9).  I know 8.1.1 had a fix for Authentication Profiles and LDAP group-mapping but that was for the profile being used in config - in our cases it is the 'test' command on the cli that ins't working.  

OK, so there is a confirmed bug with the test command:

 

> test authentication authentiocation-profile...

 

resulting in the following error:

 

"Allow list check error:
Target vsys is not specified, user "silentbob" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
User Administrator is not allowed with authentication profile LDAP"

 

(membership of LDAP groups is ignored in the authentication profile allow list). 

 

Its registered under PAN-80160 - but this is not publicly documented (not in Limitations or known issues of 8.0). 

Hopefully search engines will bring people here.... :)

 

The bug is resolved in 8.1

I have tried to allow specific group under authentication porfile used for Global Protect but It didn't work. The users are putting their correct credentials and every time they get the message that Authentication failed, enter Login credentials and password.

 

Putting domain name under LDAP server profile and Group Mapping settings does not solve my problem. Any suggestion?

I am running PAN OS 7.1.14..

 

Also regarding LDAP I checked and its mapping all our groups from AD servers and its population on the firewall.