GP/ LDAP authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GP/ LDAP authentication

L1 Bithead

Hi, 

 

I have a test AD/PA setup.

AD and LDAP connectivity is okay so far.

 

My problem is that I am unable to authenticate any user against Global Protect.

The un/pw are correct.

The group are correct too, as far as I can see.

 

This is the output i get when trying to authenticate:

 

SITE1> test authentication authentication-profile AUTHPROFILE username paloeveng.local\gpuser password
Enter password :

Target vsys is not specified, user "paloeveng.local\gpuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "paloeveng.local\gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "paloeveng.local\gpuser"


Authentication failed for user "paloeveng.local\gpuser"

 

===========

 

SITE1> show user group name "cn=paloalto,ou=firewall,dc=paloeveng,dc=local"

short name: paloeveng.local\paloalto

source type: ldap
source: Paloeveng-profile

[1 ] paloeveng.local\gpuser

===========

 

What am i missing within the config? 

 

Thank you in advance.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

@Vimz888,

Have you verified the actual authentication profile that you're attempting to utilize? That's really where I would be focusing my attention on. 

 

Do you have sAMAccountName for the Login Attribute? Do you specify your User Domain or Username Modifier? 

Hi,

 

The authentication is against the below: 

 

Vimz888_2-1638304296321.png

Vimz888_3-1638304341383.png

 

a user called "gpuser" is part of this 

Vimz888_4-1638304738111.png

When I try to authenticate the user "gpuser" against AD, i get the following message:

 

-SITE1> test authentication authentication-profile AUTHPROFILE username gpuser password
Enter password :

Target vsys is not specified, user "gpuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "paloeveng.local\gpuser" is a member of allowed group "cn=paloalto,ou=firewall,dc=paloeveng,dc=local" on vsys "vsys1"
Authentication to LDAP server at 192.168.150.10 for user "gpuser"
Egress: 192.168.22.10
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
Received empty DN for user "gpuser"
Authentication failed against LDAP server at 192.168.150.10:389 for user "gpuser"


Authentication failed for user "gpuser"

 

- I am not sure what this bit means "Received empty DN for user "gpuser""

If you need anymore info, let me know. 

 

Thanks.

 

 

 

 

 

 

 

 

 

 

Hi, 

 

Does anyone know how to resolve this? 

 

Thanks,

  • 2831 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!