GlobalProtect not using AD group

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect not using AD group

L2 Linker

Hi,

 

I am running a PA-VM on AWS. It has two interfaces, one for management, one for data.

I have created an LDAP connection to our network and can log into GP using my AD credentials. So far, so good.

 

I need to have separation of users and assigned IPs based on group membership. I have an authentication profile with two sequences. One to match on the group that my account is a member of, the second uses local authentication.

 

In the GP gateway, I have the authentication set to the auth sequence (which uses the first authentication profile - the one that should match my account and group set first), and in the agent client settings, I have two entries. the first one should give me an IP address from the first range, the second entry is set to any/any and gives an IP from a different range.

 

When I connect, I use my username/password from AD but get an IP address from the second range.

 

The logs show these entries (note I have replaced the actual AD details):

 

1,2017/09/12 05:48:17,4E0FEDAE31E65C2,31,0x0,USERID,login,53,2017/09/12 05:48:17,0,0,0,0,,PA-VM,1,vsys1,10.7.2.10,xx\sfordham,,0,1,2592000,0,0,vpn-client,globalprotect,0,0,,2017/09/12 05:48:18,1

 

admin@PA-VM> show user group-mapping state all


Group Mapping(vsys1, type: active-directory): SaaS-Users
Bind DN : CN=xxx,OU=xxx xxx - Shared,DC=XX,DC=xxx
Base : DC=XX,DC=xxx
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
213.78.96.130(389)
Last Action Time: 1607 secs ago(took 0 secs)
Next Action Time: In 1993 secs
Number of Groups: 1
cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx

admin@PA-VM>

 

admin@PA-VM> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.7.2.10 vsys1 GP xx\sfordham 2591689 2591689
Total: 1 users

admin@PA-VM>

 

From what I have read, GP in the above command *should* be AD

 

admin@PA-VM> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
xx.xxx\sfordham vsys1 cn=replaced_xxx,ou=security groups with mailbox,ou=security groups - shared,dc=xx,dc=xxx
Total: 22
admin@PA-VM>

 

So it looks like it is reading all of the necessary details - I can log in using my AD account, for example - it's just the mapping that's incorrect.

 

Can anyone advise? 

 

Apologies if I have missed something blindingly obvious. I only started working with PA last week, so am learning as I go!

46 REPLIES 46

Just re-read your lest message - so we could achieve the same through user groups in policies...?

 

That might be a better solution overall....

policies based on group membership are more scaleable.

you may only have two main types of users but we have tons, so would need to create a subnet range for each group.

then, we still need to add policy to allow subnet range or deny.

 

we have 1 x.x.x.x/19 scope for all users and when all the pilicies are in place we just move users in ad groups accordingly.

actually we have 2 x.x.x.x/19 subnets for each gateway, you may not need /19 but you will deffo need 2 different scopes per gateway.

 

happy to discuss why when you decide your way forward with groups.

 

please note, you may need to enable "user mapping" to be able to policy all traffic on your PA, not just VPN stuff.

 

i may not have explained this very well....

 

sorry for the essay.... 

View solution in original post

Hi Mick,

 

I ran Wireshark and can confirm that the PA box is getting through to the AD server and performing a correct LDAP lookup.

I cannot see it doing any searches for group membership, however, it just looks to be searching for the username and once it confirms that, is happy.

 

I will do some digging and see if there is anything I have missed...

I seem to have shamed myself. Still not there completely, but at least I am getting further.

 

The LDAP bind account does not appear to have full access, so I changed it to the domain admin account and now the CLI is reporting some better stuff. A school-boy error! I am so out of practice with AD and Windows...

 

Before:

 

admin@PA-VM> show user group-mapping state all

 

 

Group Mapping(vsys1, type: active-directory): SaaS-Users

        Bind DN    : CN=xxx,OU=Resource_Service Accounts - Shared,DC=xx,DC=local

        Base       : DC=xxDC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                213.78.96.130(389)

                        Last Action Time: 764 secs ago(took 0 secs)

                        Next Action Time: In 2836 secs

        Number of Groups: 0

 

Group Mapping(vsys1, type: active-directory): Corp-Users

        Bind DN    : CN=xxx,OU=Resource_Service Accounts - Shared,DC=xx,DC=local

        Base       : DC=xx,DC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                213.78.96.130(389)

                        Last Action Time: 764 secs ago(took 0 secs)

                        Next Action Time: In 2836 secs

        Number of Groups: 0

 

admin@PA-VM> show user group-mapping statistics

 

Name         Vsys    Groups Last-Action(secs)                Next-Action(secs)     

---------------------------------------------------------------------------     

SaaS-Users   vsys1   0      778 secs ago(took 0 secs)        In 2822 secs          

Corp-Users   vsys1   0      778 secs ago(took 0 secs)        In 2822 secs          

 

admin@PA-VM>

admin@PA-VM> show user user-ids

 

User Name                       Vsys    Groups

------------------------------------------------------------------

 

Total: 0

* : Custom Group

 

admin@PA-VM>

 

Now:

 

admin@PA-VM> show user user-ids

 

User Name                       Vsys    Groups

------------------------------------------------------------------

xx\sfordham-adm                 vsys1                           cn=corp-pa-vpn,ou=vpngroups,dc=xx,dc=local

xx\sfordham                     vsys1                           cn=saas-pa-vpn,ou=vpngroups,dc=xx,dc=local

 

Total: 2

* : Custom Group

 

admin@PA-VM>

admin@PA-VM> show user group-mapping state all

 

 

Group Mapping(vsys1, type: active-directory): SaaS-Users

        Bind DN    : xx\administrator

        Base       : DC=xx,DC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                213.78.96.130(389)

                        Last Action Time: 916 secs ago(took 0 secs)

                        Next Action Time: In 2684 secs

        Number of Groups: 1

        cn=saas-pa-vpn,ou=vpngroups,dc=xx,dc=local

 

Group Mapping(vsys1, type: active-directory): Corp-Users

        Bind DN    : xx\administrator

        Base       : DC=xx,DC=local

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 1 servers

                213.78.96.130(389)

                        Last Action Time: 916 secs ago(took 0 secs)

                        Next Action Time: In 2684 secs

        Number of Groups: 1

        cn=corp-pa-vpn,ou=vpngroups,dc=xx,dc=local

 

admin@PA-VM>

 

I am still having an issue with the policies and the use of groups, but at least it seems like I am getting somewhere now!

lol... you is fik innit. so...

 

where are we now ? probably best you do some playing around.

just post if still having issues

 

Mick.

Hi Mick,

 

Hope you had a good weekend.

 

The good news is that I think I now have a working solution. My basic tests (two groups with one user in each) are passing my (basic) policies.

 

I did have to play around with adding the domain name as the policy seemed to jump to a permit all/all - but I found this: https://live.paloaltonetworks.com/t5/Management-Articles/User-does-not-Match-Correct-Policy-but-is-L... and once got that sorted, now have the desired effect:

 

PA-success.PNG

 

Many many many thanks for all your help.

I think I owe you a beer or two! 

Stuart, hi, and you..

 

no problem.... please note as per my earlier comment that you may (when fully up and running) need to add a second ip pool to your gateway settings.

 

with your current pool, any user visiting a toyota garage and using wifi will fail GP VPN.

they use 10.0.0.0/8, this will overlap your 10.7.1.x/x.

 

I encountered this issue from many othe public wifi services.

so... we have  10.50 and a 172.50 pools allocated for our users.

 

https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/ConfigurationArticles/article-id/25...

 

good luck....

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!