12-17-2019 08:05 AM
Is anyone else having issues with the new version? Getting authentication errors. Was working fine before the update. I don't believe anything else has changed. Have a ticket in but was curious if anyone is running 5.1 successfully on an iphone.
12-23-2019 07:52 AM
My ticket was escalated up to a Palo Alto engineer and there is an issue causing this in the global protect IOS app 5.1.0. They are addressing it and a fix should be coming in release 5.1.1.
12-17-2019 08:37 AM
No problems on IPad ios 12. Im using cert auth with ldap username and password.
what auth are you using on IPhone.
12-17-2019 08:38 AM
Hello
I just tested my environment, errors detected.
Authentication is based on certificates. I'm facing authentication issues with GP (on notebook) and PAN OS 8.1.12. What PAN OS version are you using, what type of authentication is configured?
12-17-2019 08:43 AM
Keep in mind that the FW does local auth (local accounts), but other 3rd party auth (LDAP/Radius), the FW will be passing back the auth success/fail messages to you.
I would check the authd.log on the firewall.
less mp-log authd.log
This will show you the authd.log entries
You can issue a "/" command to search for a user
/steve
2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:348): "steve" user doesn't have a password
2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:359): "steve" user entry missing password profile
2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:370): "steve" user entry missing authentication profile
you could search on /failed to help you find challenges.
Hope this helps you.
12-17-2019 09:07 AM
OS 8.1.10 Two factor authentication with RSA Secureid and LDAP
It appears to be a cert issue. Previously it was working fine. Have a cert from network solutions for the site remote.mydomain.com that is the vpn. It appears to want a trusted root CA.
12-18-2019 07:57 AM
Ok, so then... install the trusted root CA (which should be a public certificate, and should be able to get it....) As a matter of fact, if it IS a public CA, then your TCA store (for windows) should be able confirm if the required TCA is there. If not, then add it.
Seems more like PANW is making their software more secure by checking for TCAs.
Or you can downgrade if you want.
What response are you looking for, from the community members?
12-18-2019 08:28 AM
I was able to find our original cert package and loaded all those into my iphone. The remote.mydomain.com cert now shows verified. Still getting the same issue though. Looking at system logs I get
auth-success RSA
globalprotectportal-auth-succ GP-Portal
globalprotectportal-config-succ GP-Portal
auth-fail Active Directory failed authentication for user 'my.user' Reason: Invalid username/password. auth profile 'Active Directory'
globaprotectgateway-auth-fail Gateway1-N globalprotect gateway user authentication failed
We use one port as the gateway and the portal. I am now going through a document sent to me by support for the cert setup so going to look at testing out a new setup.
My question for the community is can people connect using a iphone and the globalprotect app 5.1.0. When we were using the 5.0.9 app with the same setup as now it was working fine. I can also connect fine from a PC using the same credentials that fail on an iphone.
12-18-2019 08:43 AM
While the community responds back, can you confirm you saw my comment about looking at the authd.log file to determine why AD is having an issue?
I am not quick to say it is because of GP, because the auth failure is coming from AD. Can you try to make a test local account and confirm that local auth is working fine? If you can do this, and then it fails when you try to use AD auth, then it goes to make sense, that something is not correct. Maybe in 5.1 the incorrect username is being passed to the AD server for auth.
Please advise.
12-18-2019 12:08 PM
Sorry should have noted that post. I did run it and sent that into support also. How exactly is the command formatted using the /steve for instance. I could not get that part to work. There are still some decryption errors in the GP logs from the iphone so that might still be the issue. Thanks for your assistance.
12-23-2019 07:52 AM
My ticket was escalated up to a Palo Alto engineer and there is an issue causing this in the global protect IOS app 5.1.0. They are addressing it and a fix should be coming in release 5.1.1.
12-23-2019 08:16 AM
My bad. Looks like the update came out over the weekend. All good now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
