Global protect authentication LDAP not working fine

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect authentication LDAP not working fine

L4 Transporter

Hi, we have GlobalProtect configured using a LDAP group for authentication in the VPN "cn=groupvpnusers,ou=_generic_groups,dc=it,dc=xxxx,dc=local"

 

When we commit this new config using vpn group in Auth profile, the GP authenticacion is working fine but 2-3 hours later it starts to fail and we get this error in all users in this group "failed authentication. Reason: User is not in allowlist".

To solve it we need to configure all in the "Auth profile" in order to  work again. We dont know why if we use a group in Auth profile the PA is working fine only 2-3 hours. ¿any timeout mapping?¿any refresh?

PanOS is 6.0.12

 

This is the useridd.log after 2 hours using ldap groups for auth VPN:

 

2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:18:18.045 +0200 panauth:user <it.xxxxxx.local\paloaltovpntest,LDAP_USER_VPN_FR-1-1,vsys1> is not allowed
2016-08-03 13:18:18.045 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxx.local\paloaltovpntest authresult not auth'ed
2016-08-03 13:18:18.054 +0200 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2016-08-03 13:18:18.054 +0200 User 'it.xxxxxx.local\paloaltovpntest' failed authentication. Reason: User is not in allowlist From: 88.3.65.25
2016-08-03 13:18:18.054 +0200 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

 

This is when its working (in this case using all in auth profile not ldap group)

 

2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:24:56.098 +0200 debug: pan_authd_common_authenticate(pan_authd.c:1654): Authenticating user using 
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:629): authentication succeeded (0)
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:635): account is valid
2016-08-03 13:24:56.125 +0200 authentication succeeded for user <vsys1,LDAP_USER_VPN_FR-1-1,it.xxxxxx..local\paloaltovpntest>
2016-08-03 13:24:56.125 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxxx..local\paloaltovpntest authresult auth'ed
2016-08-03 13:24:56.126 +0200 Request received to unlock vsys1/LDAP_USER_VPN_FR-1-1/it.xxxxxx.local\paloaltovpntest
2016-08-03 13:24:56.131 +0200 User 'it.xxxxxxx.local\paloaltovpntest' authenticated. From: 85..x.x.x

5 REPLIES 5

Cyber Elite
Cyber Elite

I'm sure the answer is yes but just to be sure, there is the allow list on the Authentification Profile and the actual GlobalProtect Portals, is the user group allowed on both of these?

*As a side note their is a known issue on older versions of the software where authentification issues would take place if the firewall was running for more than a 1 year time period without being shutdown. I would start with seeing if that fixes your issues if you are in an enviroment where you can schedule a restart in a resonable amount of time.  

Yes, the users are on this allowed group. When we commit it, its working but 2-3 hours later not 😞

 

Uptime 188 days, 13:37:57. Itos not very long this uptime right??? is there any bug id for this??

Any idea??? 

Looks like a possible typo in the domain field

 

'it.xxxxxxx..local\paloaltovpntest'

 

xxx..local

 

should this be .local? Or just it.xxxx\paloaltovpntest , removing the .local?

 

Ben

I think the config is OK because thisis working fine but 2-3 hours later stop authenticating.

 

Doing a debug we see this event and after stops authenticating fine.

 

2016-08-03 12:18:46.906 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4349): will update vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here using file /opt/pancfg/mgmt/global/groups/1/Y249Z2dmcnBhbG9hbHRvcmFzdnBuLG91PV9nZW5lcmljX2dyb3VwcyxkYz1mcixkYz1zZWN1cml0YXNkaXJlY3QsZGM9bG9jYWw=.xml

2016-08-03 12:18:51.509 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4363): done updating vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here

 

Its like after doing the refresh stop working but nothing was changed in LDAP or PA.

  • 2450 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!