09-12-2017 05:58 AM
Hi,
I am running a PA-VM on AWS. It has two interfaces, one for management, one for data.
I have created an LDAP connection to our network and can log into GP using my AD credentials. So far, so good.
I need to have separation of users and assigned IPs based on group membership. I have an authentication profile with two sequences. One to match on the group that my account is a member of, the second uses local authentication.
In the GP gateway, I have the authentication set to the auth sequence (which uses the first authentication profile - the one that should match my account and group set first), and in the agent client settings, I have two entries. the first one should give me an IP address from the first range, the second entry is set to any/any and gives an IP from a different range.
When I connect, I use my username/password from AD but get an IP address from the second range.
The logs show these entries (note I have replaced the actual AD details):
1,2017/09/12 05:48:17,4E0FEDAE31E65C2,31,0x0,USERID,login,53,2017/09/12 05:48:17,0,0,0,0,,PA-VM,1,vsys1,10.7.2.10,xx\sfordham,,0,1,2592000,0,0,vpn-client,globalprotect,0,0,,2017/09/12 05:48:18,1
admin@PA-VM> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : CN=xxx,OU=xxx xxx - Shared,DC=XX,DC=xxx
Base : DC=XX,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 1607 secs ago(took 0 secs)
Next Action Time: In 1993 secs
Number of Groups: 1
cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx
admin@PA-VM>
admin@PA-VM> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.7.2.10 vsys1 GP xx\sfordham 2591689 2591689
Total: 1 users
admin@PA-VM>
From what I have read, GP in the above command *should* be AD
admin@PA-VM> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
xx.xxx\sfordham vsys1 cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx
Total: 22
admin@PA-VM>
So it looks like it is reading all of the necessary details - I can log in using my AD account, for example - it's just the mapping that's incorrect.
Can anyone advise?
Apologies if I have missed something blindingly obvious. I only started working with PA last week, so am learning as I go!
09-13-2017 06:11 AM
I added the domain (without the .local) to the Test2 auth profile and commited the change, but still get that I am not allowed with the authentication profile Test2.
BTW, thanks for all the help, I really appreciate it!
09-13-2017 06:43 AM
ok are you a wiresharky person...
if so then i would go to monitor/packet capture
manage filter id 1 destination (ldap server ip)
filter id 2 source (same ladap server ip)
ok that box.
add a capture stage for firewall, recieve and transmit.
start capture and as soon as started try cli auth vis test2 profile with group added (as previous)
as soon as failed, refresh captured files window and click on file to open with wireshark.
although a bit confusing, ladap is sent in cleartext so should see whats going on.
BTW, no problem.
09-13-2017 06:46 AM
if we could arrange a session i would gladly take a look via gotomeeting or teamworks. not sure how to comm ouside this
portal
09-13-2017 07:05 AM
Also... going back to the xx domain name... you could also add this to the user domain in group-id settings and give that a go before wireshark
09-13-2017 07:20 AM
Well.. this is weird...
I tried the wireshark capture, and could see all of the HTTPS traffic to the same server as the LDAP box, but this is because I am using the PA GUI from this NAT'd address, but I could not see any LDAP traffic in either the transmit or receive logs.
I cleared the user mapping (clear user-cache all) and tried again - still no LDAP info in the pcaps.
Using the client vpn, I did actually get the correct IP address - but the authentication command still fails...
09-13-2017 07:33 AM
firstly.. to confirm ... what is your group-id domain user set to.
secondly.. under device/setup/services/service route configuration, is ldap set to use default. if so the will not show in capture as you need to set ldap to the trusted interface ethernet x/x (whatever can reach the ldap servers.
09-13-2017 07:36 AM
also add destination port 389 to destination ldap server and source port 389 to source ldap server in capture filter to scrub https etc...
09-14-2017 02:25 AM
The service route is set to use the default (management) - however I cannot assign this to the e1/1 interface:
All I have here is default or any - possibly as it's in AWS using DHCP??
09-14-2017 02:47 AM
Stuart, Hi.
ok perhaps wireshark on server may be another option but do you need to know whats going on as you mentioned the IP allocation is now working as expected.
I was going to ask why you need to allocate subnet ranges for users, i assume its for admin purposes. we have been down this route but found it healthier all round to use AD groups in security policy.
I could of course be missing something more obvious here as to your purpose.
09-14-2017 03:02 AM
Morning 🙂
The plan is that we have a centralized VPN solution (currently we have two solutions one for access to one part of our network, and another - for a smaller subset of users to another section of our network).
The plan is that we have a unified solution, and depending on user group, we can permit/deny traffic between the network sections - hence the desire to hand out different IP ranges based on group membership.
I will see if I can run wireshark on the ldap server and that may shed some light on it.
Cheers!
09-14-2017 03:03 AM
Just re-read your lest message - so we could achieve the same through user groups in policies...?
That might be a better solution overall....
09-14-2017 03:15 AM
policies based on group membership are more scaleable.
you may only have two main types of users but we have tons, so would need to create a subnet range for each group.
then, we still need to add policy to allow subnet range or deny.
we have 1 x.x.x.x/19 scope for all users and when all the pilicies are in place we just move users in ad groups accordingly.
actually we have 2 x.x.x.x/19 subnets for each gateway, you may not need /19 but you will deffo need 2 different scopes per gateway.
happy to discuss why when you decide your way forward with groups.
please note, you may need to enable "user mapping" to be able to policy all traffic on your PA, not just VPN stuff.
i may not have explained this very well....
sorry for the essay....
09-15-2017 02:09 AM
Hi Mick,
I ran Wireshark and can confirm that the PA box is getting through to the AD server and performing a correct LDAP lookup.
I cannot see it doing any searches for group membership, however, it just looks to be searching for the username and once it confirms that, is happy.
I will do some digging and see if there is anything I have missed...
09-15-2017 03:07 AM - edited 09-15-2017 03:08 AM
I seem to have shamed myself. Still not there completely, but at least I am getting further.
The LDAP bind account does not appear to have full access, so I changed it to the domain admin account and now the CLI is reporting some better stuff. A school-boy error! I am so out of practice with AD and Windows...
Before:
admin@PA-VM> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : CN=xxx,OU=Resource_Service Accounts - Shared,DC=xx,DC=local
Base : DC=xxDC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 764 secs ago(took 0 secs)
Next Action Time: In 2836 secs
Number of Groups: 0
Group Mapping(vsys1, type: active-directory): Corp-Users
Bind DN : CN=xxx,OU=Resource_Service Accounts - Shared,DC=xx,DC=local
Base : DC=xx,DC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 764 secs ago(took 0 secs)
Next Action Time: In 2836 secs
Number of Groups: 0
admin@PA-VM> show user group-mapping statistics
Name Vsys Groups Last-Action(secs) Next-Action(secs)
---------------------------------------------------------------------------
SaaS-Users vsys1 0 778 secs ago(took 0 secs) In 2822 secs
Corp-Users vsys1 0 778 secs ago(took 0 secs) In 2822 secs
admin@PA-VM>
admin@PA-VM> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
Total: 0
* : Custom Group
admin@PA-VM>
Now:
admin@PA-VM> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
xx\sfordham-adm vsys1 cn=corp-pa-vpn,ou=vpngroups,dc=xx,dc=local
xx\sfordham vsys1 cn=saas-pa-vpn,ou=vpngroups,dc=xx,dc=local
Total: 2
* : Custom Group
admin@PA-VM>
admin@PA-VM> show user group-mapping state all
Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : xx\administrator
Base : DC=xx,DC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 916 secs ago(took 0 secs)
Next Action Time: In 2684 secs
Number of Groups: 1
cn=saas-pa-vpn,ou=vpngroups,dc=xx,dc=local
Group Mapping(vsys1, type: active-directory): Corp-Users
Bind DN : xx\administrator
Base : DC=xx,DC=local
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 916 secs ago(took 0 secs)
Next Action Time: In 2684 secs
Number of Groups: 1
cn=corp-pa-vpn,ou=vpngroups,dc=xx,dc=local
admin@PA-VM>
I am still having an issue with the policies and the use of groups, but at least it seems like I am getting somewhere now!
09-15-2017 04:13 AM
lol... you is fik innit. so...
where are we now ? probably best you do some playing around.
just post if still having issues
Mick.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
