- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-23-2021 06:37 PM
We are having difficulty with our Active/Passive pair of PA_820’s where they are setup to allow auth to GlobalProtect based on AD group membership.
If we create a new OU in AD and move a user to the newly created AD OU whilst still having the same group membership, they can no longer auth to connect to global protect from internal nor external networks.
If we then move them back to the original OU, auth works again.
We have tried the reset, refresh and clear commands (debug user-id reset group-mapping all, debug user-id refresh group-mapping all, clear user-cache all)
We have also tried to drop the bind one level down. Any further ideas how to resolve this?
PANOS version – 9.1.3
GlobalProtect version – 5.1.1
02-23-2021 08:41 PM
So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction.
02-23-2021 08:41 PM
So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction.
02-23-2021 11:01 PM - edited 02-23-2021 11:03 PM
Perhaps i have not read this correctly but you mention multiple groups.. yet you only have one group included in your screen shot. Are we talking nested groups here?
03-02-2021 05:39 PM
Thank you @Mick_Ball and @BPry
Strangely, VPN group is working fine after clearing cache.
No nested groups in use.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!