authenticate with domain\username in Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

authenticate with domain\username in Global Protect

L2 Linker

Hi Guys,

 

i have set the authentication Profile (username Modifier) to %USERDOMAIN%\%USERINPUT%

because i want all user currently using GP to add thei domain as well not just the username.

the Profil has been added to the GP authentication section.

but everytime i just get failed authentication from these users.

but the second authentication profil is accepting only the %USERINPUT% as input. Meaning all users on the second profil are able to authenticate without any problem.

 

both Profile are using the same GP settings (configured on the same GP)

 

did i in my config miss anything ?

 

i would deeply appreciate if someone could provide me with some hints.

 

cheers,

Gilo

 

 

1 accepted solution

Accepted Solutions

L2 Linker

@Mick_Ball , @Ben-W  thank you very much for the hints. your ideas really helped me out.

 

 

 

i have solved the Problem. what i had before was as follow: 

- on GP --> Client Auth, i had both Profile ( Auth Profil A und Auth Profil B)

1-Profil A= only with username 

2-Profil B= with domain and username  (here i do not have a domain in the Uer Domain ( i removed it ) )

so every time the client on Profil B tried to sign in, GP only hit the 1st profil (Profil A)

user on A were able to log in without any problem.

 

So, i just created one Authentication Sequence Profil X = A and B

and on GP  --> Client Auth i just added the Auth Seq X . Then I worked  as i wanted 

on the Auth Seq it checked the first Auth Profil does not get a hit then moves to the next Auth Profil.

 

what i find a weird is taht why on GP --> Client Auth tab, you have the Option to add several Profil for authentication but instead of checking all the profil in that list it just hits the first Profil and does not check other profil. 

View solution in original post

6 REPLIES 6

L2 Linker

Hi Gilo,

 

Bit of a stab in the dark and maybe one of the others can help more however for a quick check/test:

 

Have you checked the logs on the DC to see what was being sent through from the Palo when it fails, i'm thinking maybe you have added a domain within the domain field (either within the LDAP profile or the Authentication profile depending which PAN-OS version you are using) which would append the domain entry,. Remove the domain entry and retest. 

 

Also you can tail the logs on the Palo to maybe gain some more insight, > tail follow yes mp-log authd.log

 

Again this is a true stab in the dark and hopefully the others can provide additional assistance.

L7 Applicator

using the %USERDOMAIN%\%USERINPUT% option will remove any "domain\" entered by the user and use the domain info in the "user domain" field of the authentication profile.

 

if you do not have a "user domain" entry in the profile then the palo alto will attempt to resolve the domain name via group mapping.

 

L2 Linker

@Mick_Ball , @Ben-W  thank you very much for the hints. your ideas really helped me out.

 

 

 

i have solved the Problem. what i had before was as follow: 

- on GP --> Client Auth, i had both Profile ( Auth Profil A und Auth Profil B)

1-Profil A= only with username 

2-Profil B= with domain and username  (here i do not have a domain in the Uer Domain ( i removed it ) )

so every time the client on Profil B tried to sign in, GP only hit the 1st profil (Profil A)

user on A were able to log in without any problem.

 

So, i just created one Authentication Sequence Profil X = A and B

and on GP  --> Client Auth i just added the Auth Seq X . Then I worked  as i wanted 

on the Auth Seq it checked the first Auth Profil does not get a hit then moves to the next Auth Profil.

 

what i find a weird is taht why on GP --> Client Auth tab, you have the Option to add several Profil for authentication but instead of checking all the profil in that list it just hits the first Profil and does not check other profil. 

for GP to check all authentication profiles you need to add them to an "authentication order" and then add the "authentication order" to the client auth tab.

@Mick_Ball  Thx a lot 

well, that is what i did ( i guess by Auth Order you means the Auth Sequence)

but my point is that on the Client Auth, you have the possibility to add several profile. Something i tested by adding several Profile But everytime only the first profil currently on the top of the list was being checked the other below was not.

 

As you said that worked quite well. i defined a new Auth Seq then i added all other Profile into it.

later added the newly created Auth Seq to GP. 

sorry, yes "sequence"

the auth profile on the portal config has always been a gripe of mine. seems to work OK for different OS option but i was also never able to try all profiles for the same OS. i suppose this makes sense but the help file does suggest that you can have multiple auths profiles for the same OS.

It may work in the same way as the setup within Device\Authentication Profile. this will only try the next option if the auth server does not respond.

 

so... now they have added "Authentication Sequence" all is good.

  • 1 accepted solution
  • 7548 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!