10-20-2015 12:44 PM
Hi all,
I tried support on this, didn't get much help. I am using PANOS 7.0 and GlobalProtect 2.2.1
I have a couple hundred GlobalProtect clients using Windows. I am using pre-logon (always on) with LDAP authentication. The goal is to have the GlobalProtect clients to stay connected to the gateway at all times, or keep trying to connect until a gateway becomes available.
The boxes auto-connect and auto-reconnect on their own 95% of the time. However, in an event where the LDAP servers go down (i.e. maintenance or interruption), the user is prompted for a password even though pre-logon is being used and the user has selected "Remember me" within the client. Please note, I am using certificates for pre-logon, but I can not use SSO.
I have included a screenshot of the issue. ANY HELP is appreciated.
Client config
Error on client:
10-20-2015 03:54 PM
How about setting up multiple ldap servers for redundancy? This way you can reboot one or more and still retain functinality.
10-20-2015 08:13 PM
I am not sure if I understand what you mean by the firewall authenticating. If you are referring to the admin login for the firewall that uses local authentication, not LDAP.
What I am striving for is a truely "always on" solution. In my view, when pre-logon says "always on" it should never ask the clients for credentials when the authentication server is down.
10-20-2015 08:15 PM
Thanks for the reply. I appreciate the recommendation. We currently have two LDAP servers. We have seen a couple of situations where the communication between the LDAP server and the clients becomes interrupted for one reason or another.
I am wondering if there is some sort of registry setting for the Windows GP clients... something to supress the prompt?
10-21-2015 12:14 AM
pre-logon vpn is a partial vpn that would allow a user to load logon scripts etc while the workstation boots into normal operational mode. This access is granted with a decreased level of authentication.
Once the logon sequence completes the user will always be required to 'make himself known' by authenticating. the pre-logon vpn mode cannot be used while in normal windows 'desktop' mode.
To get around this you could try using an authentication sequence in the gateway configuration' authentication (instead of a single ldap profile) where two ldap profiles provide redundancy
10-21-2015 06:41 AM
That makes sense. I am wondering though why the client prompts for a password even though the client has checked off "remember me."
10-21-2015 07:38 AM
that may require a little more troubleshooting, you'll first want to figure out what is happening to the ldap exactly.
you could set up an wireshark on the ldap server or run a tcpdump on the firewall while testing a failed connection like this. maybe the ldap does respond to the authentication but in an unexpected way, making the Gateway reprompt the user for credentials because it thinks the authentication failed.
the user/pass prompt would typically appear if something like that happens or if the password is changed or expired. GP debug log may help shed some light on this as well
10-27-2015 06:53 AM
I've opened this as a case with Palo Alto. I will post my findings.
10-28-2015 12:44 PM
I point my ldap server at the root domain and not a single server, so it is setup as ldap server : corp.firm.local and it works without problems, the client querys whatever domain controller it can find.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
