GlobalProtect LDAP Authentication Fails

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect LDAP Authentication Fails

L3 Networker

I have succesfully set up local login for GP but struggling to set up LDAP authentication. The CLI test says that its succesfull, but it fails whne using GP

 

Any tips please?

9 REPLIES 9

L3 Networker

my specific error now is:

 

GlobalProtect gateway client configuration failed. User name: MY.NAME Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Matching client config not found.

 

Also this is not letting me change to local login, the GP client locks down to using my domain username

New Error:

You are not authorised to connect to globalprotect portal

@welly_59,

Doesn't really seem like it's failing at LDAP auth, sounds like you haven't configured a client config in the gateway configuration (or it isn't configured properly). Might want to verify that you have properly setup the client configuration and then verify that the 'Client Authentication' settings that you've configured on the Gateway are setup properly. 

Is your GP portal config restricted to certain users.... perhaps a group...  if so... try changing to “all”.

It is set to certain groups. I can log into the web portal with ldap credentials no problem but I then get the error that there is no matching client config.

I’ll tale some screenshots tomorrow of my config if you guys will be good enough to assist

IMG_20180702_212832.jpgIMG_20180702_213133.jpgIMG_20180702_213417.jpgIMG_20180702_213519.jpg

 

Could someone please take a look at my comfigs and see where I am going wrong? Local authenticated users work fine but I get a variety of errors when I authenticate with LDAP, ranging from no client config available to not authorized to access portal depending on what I change in these settings

firstly, do you have the same group settings in portal agent, i can only see gateway agent?

 

so....

 

from cli.

 

show user group list

 

this should display all relative groups and hopefully you will see the one thats blanked out in you agent config.

 

then...

 

show user group name "<the relevant group from above>"

 

this will list all known members of that group. If you check on the gui monitor/system you can see the user authenticating, make sure that user can be seen in the group within cli. 

Got to the bottom of it......

I had not added allowed groups in the group mapping section.

Nice one Mr Welly...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!