Authentication issue with Global Protect

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
FarzanaMustafa
L4 Transporter

Authentication issue with Global Protect

We are having difficulty with our Active/Passive pair of PA_820’s where they are setup to allow auth to GlobalProtect based on AD group membership.

If we create a new OU in AD and move a user to the newly created AD OU whilst still having the same group membership, they can no longer auth to connect to global protect from internal nor external networks.

If we then move them back to the original OU, auth works again.

 

We have tried the reset, refresh and clear commands (debug user-id reset group-mapping all, debug user-id refresh group-mapping all, clear user-cache all)

 

We have also tried to drop the bind one level down. Any further ideas how to resolve this?

 

PANOS version – 9.1.3

GlobalProtect version – 5.1.1

 

Group Mapping.jpgAuth Profile.png


Accepted Solutions
BPry
Cyber Elite

@FarzanaMustafa,

So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction. 

View solution in original post


All Replies
BPry
Cyber Elite

@FarzanaMustafa,

So you can actually view group membership directly on the firewall via the show user group name <value> command and make sure that the user is properly showing up in the group membership list. Next I would see what the test authentication gives you on the firewall itself (test authentication authentication-profile <value> username <value> password ). That can sometimes point you in the right direction. 

View solution in original post

MickBall
L7 Applicator

Perhaps i have not read this correctly but you mention multiple groups.. yet you only have one group included in your screen shot. Are we talking nested groups here?

FarzanaMustafa
L4 Transporter

Thank you @MickBall and @BPry 

 

Strangely, VPN group is working fine after clearing cache.

 

No nested groups in use.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!