Iphone globalprotect app 5.1

Reply
Highlighted
L1 Bithead

Iphone globalprotect app 5.1

Is anyone else having issues with the new version? Getting authentication errors. Was working fine before the update. I don't believe anything else has changed. Have a ticket in but was curious if anyone is running 5.1 successfully on an iphone. 


Accepted Solutions
Highlighted
L1 Bithead

Re: Iphone globalprotect app 5.1

My ticket was escalated up to a Palo Alto engineer and there is an issue causing this in the global protect IOS app 5.1.0. They are addressing it and a fix should be coming in release 5.1.1. 

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Iphone globalprotect app 5.1

No problems on IPad ios 12.  Im using cert auth with ldap username and password.

 

what auth are you using on IPhone.

Highlighted
L3 Networker

Re: Iphone globalprotect app 5.1

Hello

 

I just tested my environment, errors detected.

Authentication is based on certificates. I'm facing authentication issues with GP (on notebook) and PAN OS 8.1.12. What PAN OS version are you using, what type of authentication is configured?

Highlighted
Cyber Elite

Re: Iphone globalprotect app 5.1

Keep in mind that the FW does local auth (local accounts), but other 3rd party auth (LDAP/Radius), the FW will be passing back the auth success/fail messages to you.

 

I would check the authd.log on the firewall.

 

less mp-log authd.log

 

This will show you the authd.log entries

 

You can issue a "/" command to search for a user

/steve

 

2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:348): "steve" user doesn't have a password
2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:359): "steve" user entry missing password profile
2019-11-18 11:07:43.586 -0500 debug: _parse_adminusers(pan_auth_cfg_parse_util.c:370): "steve" user entry missing authentication profile

 

you could search on /failed  to help you find challenges.

 

Hope this helps you.

 

Help the community: Like helpful comments and mark solutions
Highlighted
L1 Bithead

Re: Iphone globalprotect app 5.1

OS 8.1.10 Two factor authentication with RSA Secureid and LDAP

 

It appears to be a cert issue. Previously it was working fine. Have a cert from network solutions for the site remote.mydomain.com that is the vpn. It appears to want a trusted root CA.

Highlighted
Cyber Elite

Re: Iphone globalprotect app 5.1

Ok, so then... install the trusted root CA (which should be a public certificate, and should be able to get it....)  As a matter of fact, if it IS a public CA, then your TCA store (for windows) should be able confirm if the required TCA is there.  If not, then add it.

 

Seems more like PANW is making their software more secure by checking for TCAs.

 

Or you can downgrade if you want. 

 

What response are you looking for, from the community members?

Help the community: Like helpful comments and mark solutions
Highlighted
L1 Bithead

Re: Iphone globalprotect app 5.1

I was able to find our original cert package and loaded all those into my iphone. The remote.mydomain.com cert now shows verified. Still getting the same issue though. Looking at system logs I get 

 

auth-success                             RSA

globalprotectportal-auth-succ    GP-Portal

globalprotectportal-config-succ  GP-Portal

auth-fail                                       Active Directory    failed authentication for user 'my.user' Reason: Invalid username/password. auth profile 'Active Directory'

globaprotectgateway-auth-fail    Gateway1-N          globalprotect gateway user authentication failed

 

We use one port as the gateway and the portal. I am now going through a document sent to me by support for the cert setup so going to look at testing out a new setup.

 

My question for the community is can people connect using a iphone and the globalprotect app 5.1.0. When we were using the 5.0.9 app with the same setup as now it was working fine. I can also connect fine from a PC using the same credentials that fail on an iphone.

Highlighted
Cyber Elite

Re: Iphone globalprotect app 5.1

While the community responds back, can you confirm you saw my comment about looking at the authd.log file to determine why AD is having an issue?

 

I am not quick to say it is because of GP, because the auth failure is coming from AD.  Can you try to make a test local account and confirm that local auth is working fine?  If you can do this, and then it fails when you try to use AD auth, then it goes to make sense, that something is not correct.  Maybe in 5.1 the incorrect username is being passed to the AD server for auth.

 

Please advise. 

Help the community: Like helpful comments and mark solutions
Highlighted
L1 Bithead

Re: Iphone globalprotect app 5.1

Sorry should have noted that post. I did run it and sent that into support also. How exactly is the command formatted using the /steve for instance. I could not get that part to work. There are still some decryption errors in the GP logs from the iphone so that might still be the issue. Thanks for your assistance.

 

 

Highlighted
L1 Bithead

Re: Iphone globalprotect app 5.1

My ticket was escalated up to a Palo Alto engineer and there is an issue causing this in the global protect IOS app 5.1.0. They are addressing it and a fix should be coming in release 5.1.1. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!