08-03-2016 04:50 AM - edited 08-11-2016 12:48 AM
Hi, we have GlobalProtect configured using a LDAP group for authentication in the VPN "cn=groupvpnusers,ou=_generic_groups,dc=it,dc=xxxx,dc=local"
When we commit this new config using vpn group in Auth profile, the GP authenticacion is working fine but 2-3 hours later it starts to fail and we get this error in all users in this group "failed authentication. Reason: User is not in allowlist".
To solve it we need to configure all in the "Auth profile" in order to work again. We dont know why if we use a group in Auth profile the PA is working fine only 2-3 hours. ¿any timeout mapping?¿any refresh?
PanOS is 6.0.12
This is the useridd.log after 2 hours using ldap groups for auth VPN:
2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:18:18.042 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:18:18.045 +0200 panauth:user <it.xxxxxx.local\paloaltovpntest,LDAP_USER_VPN_FR-1-1,vsys1> is not allowed
2016-08-03 13:18:18.045 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxx.local\paloaltovpntest authresult not auth'ed
2016-08-03 13:18:18.054 +0200 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2016-08-03 13:18:18.054 +0200 User 'it.xxxxxx.local\paloaltovpntest' failed authentication. Reason: User is not in allowlist From: 88.3.65.25
2016-08-03 13:18:18.054 +0200 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
This is when its working (in this case using all in auth profile not ldap group)
2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: paloaltovpntest
2016-08-03 13:24:56.096 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LDAP_USER_VPN_FR-1-1','paloaltovpntest'>
2016-08-03 13:24:56.098 +0200 debug: pan_authd_common_authenticate(pan_authd.c:1654): Authenticating user using
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:629): authentication succeeded (0)
2016-08-03 13:24:56.125 +0200 debug: pan_authd_authenticate_service(pan_authd.c:635): account is valid
2016-08-03 13:24:56.125 +0200 authentication succeeded for user <vsys1,LDAP_USER_VPN_FR-1-1,it.xxxxxx..local\paloaltovpntest>
2016-08-03 13:24:56.125 +0200 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: it.xxxxxxx..local\paloaltovpntest authresult auth'ed
2016-08-03 13:24:56.126 +0200 Request received to unlock vsys1/LDAP_USER_VPN_FR-1-1/it.xxxxxx.local\paloaltovpntest
2016-08-03 13:24:56.131 +0200 User 'it.xxxxxxx.local\paloaltovpntest' authenticated. From: 85..x.x.x
08-03-2016 06:38 AM
I'm sure the answer is yes but just to be sure, there is the allow list on the Authentification Profile and the actual GlobalProtect Portals, is the user group allowed on both of these?
*As a side note their is a known issue on older versions of the software where authentification issues would take place if the firewall was running for more than a 1 year time period without being shutdown. I would start with seeing if that fixes your issues if you are in an enviroment where you can schedule a restart in a resonable amount of time.
08-03-2016 06:43 AM
Yes, the users are on this allowed group. When we commit it, its working but 2-3 hours later not 😞
Uptime 188 days, 13:37:57. Itos not very long this uptime right??? is there any bug id for this??
08-04-2016 03:59 AM
Looks like a possible typo in the domain field
'it.xxxxxxx..local\paloaltovpntest'
xxx..local
should this be .local? Or just it.xxxx\paloaltovpntest , removing the .local?
Ben
08-04-2016 04:06 AM
I think the config is OK because thisis working fine but 2-3 hours later stop authenticating.
Doing a debug we see this event and after stops authenticating fine.
2016-08-03 12:18:46.906 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4349): will update vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here using file /opt/pancfg/mgmt/global/groups/1/Y249Z2dmcnBhbG9hbHRvcmFzdnBuLG91PV9nZW5lcmljX2dyb3VwcyxkYz1mcixkYz1zZWN1cml0YXNkaXJlY3QsZGM9bG9jYWw=.xml
2016-08-03 12:18:51.509 +0200 debug: authd_sysd_groupinfosync_callback(pan_authd.c:4363): done updating vsys1, cn=ggfrpaloaltorasvpn,ou=_generic_groups,dc=fr,dc=xxxxxxxxx,dc=local here
Its like after doing the refresh stop working but nothing was changed in LDAP or PA.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
