This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect not using AD group

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect not using AD group

Go to solution
StuartFordham
L2 Linker

‎09-12-2017 05:58 AM

Hi,

 

I am running a PA-VM on AWS. It has two interfaces, one for management, one for data.

I have created an LDAP connection to our network and can log into GP using my AD credentials. So far, so good.

 

I need to have separation of users and assigned IPs based on group membership. I have an authentication profile with two sequences. One to match on the group that my account is a member of, the second uses local authentication.

 

In the GP gateway, I have the authentication set to the auth sequence (which uses the first authentication profile - the one that should match my account and group set first), and in the agent client settings, I have two entries. the first one should give me an IP address from the first range, the second entry is set to any/any and gives an IP from a different range.

 

When I connect, I use my username/password from AD but get an IP address from the second range.

 

The logs show these entries (note I have replaced the actual AD details):

 

1,2017/09/12 05:48:17,4E0FEDAE31E65C2,31,0x0,USERID,login,53,2017/09/12 05:48:17,0,0,0,0,,PA-VM,1,vsys1,10.7.2.10,xx\sfordham,,0,1,2592000,0,0,vpn-client,globalprotect,0,0,,2017/09/12 05:48:18,1

 

admin@PA-VM> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : CN=xxx,OU=xxx xxx - Shared,DC=XX,DC=xxx
Base : DC=XX,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 1607 secs ago(took 0 secs)
Next Action Time: In 1993 secs
Number of Groups: 1
cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx

admin@PA-VM>

 

admin@PA-VM> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.7.2.10 vsys1 GP xx\sfordham 2591689 2591689
Total: 1 users

admin@PA-VM>

 

From what I have read, GP in the above command *should* be AD

 

admin@PA-VM> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
xx.xxx\sfordham vsys1 cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx
Total: 22
admin@PA-VM>

 

So it looks like it is reading all of the necessary details - I can log in using my AD account, for example - it's just the mapping that's incorrect.

 

Can anyone advise? 

 

Apologies if I have missed something blindingly obvious. I only started working with PA last week, so am learning as I go!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-14-2017 03:15 AM

policies based on group membership are more scaleable.

you may only have two main types of users but we have tons, so would need to create a subnet range for each group.

then, we still need to add policy to allow subnet range or deny.

 

we have 1 x.x.x.x/19 scope for all users and when all the pilicies are in place we just move users in ad groups accordingly.

actually we have 2 x.x.x.x/19 subnets for each gateway, you may not need /19 but you will deffo need 2 different scopes per gateway.

 

happy to discuss why when you decide your way forward with groups.

 

please note, you may need to enable "user mapping" to be able to policy all traffic on your PA, not just VPN stuff.

 

i may not have explained this very well....

 

sorry for the essay.... 

View solution in original post

0 Likes Likes
46 REPLIES 46

Go to solution
Mick_Ball
L7 Applicator

‎09-12-2017 06:38 AM

firstly, check the monitor\system log to ensure you are authenticating as domain\user name to both the portal and gateway.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Mick_Ball

‎09-12-2017 06:40 AM

sorry, cancel the above....

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 06:43 AM

Ok, cancelling... but here are the logs just in case...

 

PA-authentication.PNG

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-12-2017 06:57 AM

could you confirm that under network/gateways/(gateway name)/agent    that you have 2 configs.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Mick_Ball

‎09-12-2017 06:58 AM

oops.. missed off /client settings

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 07:01 AM

Check! both are there, and I am getting an IP address from the Corp pool - not the first pool as I would like...

 

PA-agents.PNG

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-12-2017 07:09 AM

open up your first config and add another user, start typing sford and see if your name auto appears

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 07:14 AM

That works:

 

PA-agents2.PNG

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-12-2017 07:17 AM

could you provide print screen of ldap auth profile

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 07:20 AM

I this what you mean?

 

PA-ldap-auth1.PNGPA-ldap-auth2.PNG

 

there are no settings under "Factors"

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-12-2017 07:30 AM

ok i'm not so good with domain names, we do not have a something.local in our domain name. just a single entry.

hopefully someone else will jump in with more domain experience but could you just post device/user id/group mapping settings/(name)/server profile.

 

also.. under the gateway client settings, just enter your name manually without domain info. and test.

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 07:41 AM

PA-Group-mapping2.PNGPA-Group-mapping.PNG

 

The only difference I can see is that the domain is uppercase here - but I can drill into it and select the group, so I think this is probably not causing an issue.

 

I added myself as a new entry as you suggested:

 

PA-three-clients.PNG

 

However, I still get an IP address from the 10.7.2. range.

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to StuartFordham

‎09-12-2017 07:45 AM

you have added yourself with domain info.  dont select yourself from the list, just type it in and ignore name in list. just click whitespace and it will stick.

0 Likes Likes

Go to solution
StuartFordham
L2 Linker
In response to Mick_Ball

‎09-12-2017 07:58 AM

Tried that, it just shows sfordham, but I still jump down to the Corp entry.

0 Likes Likes
  • 1 accepted solution
  • 14401 Views
  • 46 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks