GlobalProtect LDAP Authentication Fails

Reply
L3 Networker

GlobalProtect LDAP Authentication Fails

I have succesfully set up local login for GP but struggling to set up LDAP authentication. The CLI test says that its succesfull, but it fails whne using GP

 

Any tips please?

L3 Networker

my specific error now is:

 

GlobalProtect gateway client configuration failed. User name: MY.NAME Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Matching client config not found.

 

Also this is not letting me change to local login, the GP client locks down to using my domain username

L3 Networker

New Error:

You are not authorised to connect to globalprotect portal

Cyber Elite

@welly_59,

Doesn't really seem like it's failing at LDAP auth, sounds like you haven't configured a client config in the gateway configuration (or it isn't configured properly). Might want to verify that you have properly setup the client configuration and then verify that the 'Client Authentication' settings that you've configured on the Gateway are setup properly. 

L7 Applicator

Is your GP portal config restricted to certain users.... perhaps a group...  if so... try changing to “all”.

L3 Networker

It is set to certain groups. I can log into the web portal with ldap credentials no problem but I then get the error that there is no matching client config.

I’ll tale some screenshots tomorrow of my config if you guys will be good enough to assist
L3 Networker

IMG_20180702_212832.jpgIMG_20180702_213133.jpgIMG_20180702_213417.jpgIMG_20180702_213519.jpg

 

Could someone please take a look at my comfigs and see where I am going wrong? Local authenticated users work fine but I get a variety of errors when I authenticate with LDAP, ranging from no client config available to not authorized to access portal depending on what I change in these settings

L7 Applicator

firstly, do you have the same group settings in portal agent, i can only see gateway agent?

 

so....

 

from cli.

 

show user group list

 

this should display all relative groups and hopefully you will see the one thats blanked out in you agent config.

 

then...

 

show user group name "<the relevant group from above>"

 

this will list all known members of that group. If you check on the gui monitor/system you can see the user authenticating, make sure that user can be seen in the group within cli. 

L3 Networker

Got to the bottom of it......

I had not added allowed groups in the group mapping section.
L7 Applicator

Nice one Mr Welly...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!