A quick run through my configuration:
I am using LDAPS; In Device -> Server Profiles -> LDAP and Device -> User Identification -> Server I am using DNS A records instead of IPs for my Active Directory servers; this is to ensure the domains can be validated by my 3rd party SSL cert. Also, in the GP gateway config (Network -> GlobalProtect -> Gateways -> myprofile -> Client Configuration -> Network Services), I have configured my local DNS servers.
I have configured the DNS servers in Device -> Setup -> Services to point to my local DNS servers. Everything works, captive portal, agentless user-id etc. However, I have been trying to setup GP but have been having issues with authentication. A quick check of authd.log shows:
debug: pan_auth_service_start_auth(pan_auth_service_handle.c:671): can not send request to remote server win-dc1.site.org of server profile "win-ad-server-list" since it is down or in retry-interval
The server is not down and is working as expected. When I create a new LDAP:389 profile and use IPs instead of domain names, then the authenication works as expected. It looks like GP is not querying the local DNS servers for some reason and therefore cannot resolve the DNS records.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!