Authentication issue with Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication issue with Global Protect

L4 Transporter

We are having difficulty with our Active/Passive pair of PA_820’s where they are setup to allow auth to GlobalProtect based on AD group membership.

If we create a new OU in AD and move a user to the newly created AD OU whilst still having the same group membership, they can no longer auth to connect to global protect from internal nor external networks.

If we then move them back to the original OU, auth works again.

 

We have tried the reset, refresh and clear commands (debug user-id reset group-mapping all, debug user-id refresh group-mapping all, clear user-cache all)

 

We have also tried to drop the bind one level down. Any further ideas how to resolve this?

 

PANOS version – 9.1.3

GlobalProtect version – 5.1.1

 

Group Mapping.jpgAuth Profile.png

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@FarzanaMustafa,

So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@FarzanaMustafa,

So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction. 

L7 Applicator

Perhaps i have not read this correctly but you mention multiple groups.. yet you only have one group included in your screen shot. Are we talking nested groups here?

Thank you @Mick_Ball and @BPry 

 

Strangely, VPN group is working fine after clearing cache.

 

No nested groups in use.

  • 1 accepted solution
  • 2318 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!