11-19-2017 10:04 PM
Hello,
Test with TEST-ldap-all which allows all domain users.test@TEST-PA> test authentication authentication-profile TEST-ldap-all username test passwordEnter password :Target vsys is not specified,
user "test" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request...name "test" is in group "all"Authentication to LDAP server at 10.1.1.3 for
user "test"Egress: 10.2.6.4 Type of authentication: plaintext Starting LDAP connection...Succeeded to create a session with LDAP serverDN sent to LDAP server:
CN=Company,OU=ITDept,OU=User,OU=Ann,DC=test,DC=netUser expires in days: neverAuthentication succeeded for user "test"2.
Test with ldap profile which points to a domain global security group.test@TEST-PA> test authentication authentication-profile test-ldap-globalprotect username test passwordEnter password :
Allow list check error:Target vsys is not specified, user "test" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...User test is not allowed with authentication profile test-ldap-globalprotect
Any thought on this?
Thanks in advance.
11-20-2017 04:51 AM
I see an authentication success message in the logs 'Authentication succeeded for user "test"2.'
Can you try connecting from Global protect client with the same user and share the output from the authd.log.
You can run a "tail follow yes mp-log authd.log" in the command line when attempting to connect from client.
11-20-2017 09:04 PM
Thanks for that. Below is the authd.log for user 'angusg'.
2017-11-10 21:30:29.084 +1000 debug: _get_profile_domain(pan_auth_sysd.c:890): auth prof "test-ldap-globalprotect" on vsys "vsys1" does NOT have domain
2017-11-10 21:30:29.084 +1000 Error: authd_sysd_profile_domain_callback(pan_auth_sysd.c:936): find domain for auth profile: test-ldap-globalprotect; vsys vsys1
2017-11-10 21:30:29.086 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3306): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 24, body length 2128
2017-11-10 21:30:29.087 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2362): Trying to authenticate (init auth): <profile: "test-ldap-globalprotect", vsys: "vsys1", policy: "", username "angusg"> ; timeout setting: 25 secs
; authd id: 6486741776332750875
2017-11-10 21:30:29.087 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1057): non-admin user thru Global Protect "angusg" ; auth profile "test-ldap-globalprotect" ; vsys "vsys1"
2017-11-10 21:30:29.087 +1000 debug: _get_authseq_profile(pan_auth_util.c:856): Auth profile/vsys (test-ldap-globalprotect/vsys1) is NOT auth sequence
2017-11-10 21:30:29.087 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for test-ldap-globalprotect-vsys1-mfa
2017-11-10 21:30:29.087 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1020): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: test-ldap-globalprotect/vsys1)
2017-11-10 21:30:29.087 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:185): This is a single vsys platform, group check for allow list is performed on "vsys1"
2017-11-10 21:30:29.087 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:310): user "angusg" is NOT in allow list of auth prof/vsys "test-ldap-globalprotect/vsys1" (vsys in request "vsys1")
2017-11-10 21:30:29.087 +1000 failed authentication for user 'angusg'. Reason: User is not in allowlist. auth profile 'test-ldap-globalprotect', vsys 'vsys1', From: 122.104.158.11.
2017-11-10 21:30:29.087 +1000 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_FAILURE auth response for user 'angusg' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6486741776332750875)
2017-11-10 21:30:34.963 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "test-ldap-globalprotect", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or i
nvalid keytab)
2017-11-10 21:30:35.004 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:911): profiledomain triggered via sysd
2017-11-10 21:30:35.004 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:931): get domain for vsys1/test-ldap-globalprotect
2017-11-10 21:30:35.004 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "test-ldap-globalprotect", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or i
nvalid keytab)
2017-11-10 21:30:35.004 +1000 debug: _get_profile_domain(pan_auth_sysd.c:890): auth prof "test-ldap-globalprotect" on vsys "vsys1" does NOT have domain
2017-11-10 21:30:35.004 +1000 Error: authd_sysd_profile_domain_callback(pan_auth_sysd.c:936): find domain for auth profile: test-ldap-globalprotect; vsys vsys1
2017-11-10 21:30:35.006 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3306): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 27, body length 2128
2017-11-10 21:30:35.006 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2362): Trying to authenticate (init auth): <profile: "test-ldap-globalprotect", vsys: "vsys1", policy: "", username "angusg"> ; timeout setting: 25 secs
; authd id: 6486741776332750878
11-22-2017 04:07 AM
when you add the username to the auth profile, does the user auto populate for you to select ?
11-22-2017 06:59 PM
Thanks. Your hint helped to figure out that I need to replace allow-list from “cn=test global protect users,ou=security groups,ou=user1,DC=test,DC=net” to individual users like test\user1.
I then added all the users in this list.
But this does not seem to be scalable. I even tried using the short name test\ test global protect users, which did not work.
Is there a better scalable solution?
11-23-2017 09:07 AM
In the logs i see this error "failed authentication for user 'angusg'. Reason: User is not in allowlist"
In your authentication profile change the user domain to none ( you will have to type it) and keep the user name modifier as
%USERINPUT%
11-23-2017 09:48 AM
Just start typing test global, this should also auto populate a matching group.
it works for me....
09-17-2020 11:11 AM
I know this was from long ago, but I had a similar issue. It turns out that group mappings dont work well with security groups that have a - (dash) in the name. Took me a couple days to realize this.
07-26-2021 07:51 AM
Hey. I know this is an old forum, but I was wondering if anyone found a more scalable way to solve this issue? As it still persists to this day (PAN-OS 9.1.10)
07-26-2021 12:24 PM
What exactly is the issue that you are running into getting this to scale? Generally speaking I've found that the vast majority of people simply setup dynamic AD groups to manage this side of things and it works pretty well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
