05-14-2013 08:20 AM
Hello
We are using RSA for user authentication with Global Protect.
We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.
The reason is that the user we use for authentication doesn't include the domain and the LDAP query doen't match the right user:
cscworks@pa-intx.cajamar.int(active)> show user ip-user-mapping all | match mbm60380
10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388
10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101
10.240.250.1 vsys2 GP mbm60380 2590859 2590859
cscworks@pa-intx.cajamar.int(active)> show user group name domain\group1
short name: domain\group1
[1 ] domain\aag60368
[2 ] domain\ced61081
[3 ] domain\jas61669
[4 ] domain\mbm60380
[5 ] domain\pmc61693
[6 ] domain\vcm60984
Is there any way to fix this?
Can the firewall add the domain to the LDAP query?
05-15-2013 08:25 AM
I've been able to solve this issue.
Y use <username>@domain format in the GlobalProtect Client.
Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain
Thank you
05-14-2013 08:33 AM
Add 'domain' in domain field within your ldap server profile and test. Here's my setup.
ldap {
amb {
server {
amb {
port 389;
address 172.16.20.23;
}
}
ldap-type active-directory;
base DC=amb,DC=local;
bind-dn renato@amb.local;
timelimit 30;
bind-timelimit 30;
ssl no;
domain amb;
admin@PA-200> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
172.16.20.1 vsys1 AD amb\renato 2697 2697
172.100.100.1 vsys1 GP amb\renato 10746 10746
172.16.20.2 vsys1 AD amb\renato 289 289
172.16.20.226 vsys1 CP amb\renato 459 2538
172.16.20.23 vsys1 AD amb\renato 2526 2212
Total: 5 users
05-14-2013 08:35 AM
Without the domain configured:
ldap {
amb {
server {
amb {
port 389;
address 172.16.20.23;
}
}
ldap-type active-directory;
base DC=amb,DC=local;
bind-dn renato@amb.local;
timelimit 30;
bind-timelimit 30;
ssl no;
admin@PA-200> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
172.16.20.1 vsys1 AD amb\renato 2695 2695
172.100.100.1 vsys1 GP renato 2592000 2592000
172.16.20.2 vsys1 AD amb\renato 135 135
172.16.20.226 vsys1 CP amb\renato 305 2384
172.16.20.23 vsys1 AD amb\renato 2372 2058
05-14-2013 09:19 AM
I've tried with domain but it doesn't work either:
domain.int-PCI-RSA {
server {
esc04.domain.int {
port 636;
address 192.168.66.3;
}
esc15.domain.int {
port 636;
address 192.168.66.15;
}
esc16.domain.int {
port 636;
address 192.168.66.16;
}
esc03.domain.int {
port 636;
address 192.168.66.4;
}
}
ldap-type active-directory;
bind-dn F5-APM-AD@domain.int;
timelimit 30;
bind-timelimit 30;
retry-interval 60;
bind-password xxxxxxxxxxxxxxxxxxx;
ssl yes;
base dc=domain,dc=int;
domain domain;
}
show user ip-user-mapping all | match mbm60380
10.240.1.24 vsys1 UIA domain\mbm60380 922 922
10.240.1.1 vsys1 UIA domain\mbm60380 2363 2363
10.240.250.1 vsys2 GP mbm60380 2591972 2591972
Thanks for your answer
05-14-2013 09:35 AM
Did you attempt to clear the user cache for the IP in question? Perhaps clearing the group cache as well and resetting the ldap server profile connection.
What PANOS are you running?
05-14-2013 02:06 PM
I'm afraid I don't know how to clear the user cache for that IP or the group cache. I don't know how to reset the ldap server profile connection either.
I'm running 5.0.4 version
What authentication method are you using?
05-14-2013 02:36 PM
You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.
clear user-cache ip
clear user-cache-mp ip
Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.
Hope this helps.
Thank you
05-14-2013 11:47 PM
Hello
I have cleared both caches but the result is the same.
I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have
Thanks for you help
05-15-2013 12:55 AM
I've tried another thing:
- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.
- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.
05-15-2013 08:25 AM
I've been able to solve this issue.
Y use <username>@domain format in the GlobalProtect Client.
Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
