10-30-2012 05:57 PM
Hi.
I've got LDAP authentication configured to allow users into a Global protect portal. I'm 100% sure it works OK, because I can authenticate against it.
Trouble is, I *can't* get it to authenticate against an Active Directory group. if I add individual usernames into the authentication profile used by the Global Protect setup, they work - which is how I know the LDAP is working/
If I add an AD user GROUP to the allow list, it simply doesn't match any users - Global Protect authentication fails with a "user not in allow list" error.
Any suggestions on how I can best troubleshoot/fix this? I don't want to have to modify the Firewall config every time I need to add a new VPN user - especially when other admins can modify the AD groups much more easily.
Thanks.
11-20-2012 07:56 PM
Can you verify in your LDAP profile that the domain is specified? It appears that when you login via GP your user is recognized as just "darren.gibbs", without the domain. If the domain is not appended to the username then the group matching will fail since the firewall will compare the user string against the member list which all have the domain included.
11-20-2012 04:05 PM
Darren,
Which version of PAN OS are you running?
11-20-2012 05:59 PM
Also make sure the login name has nothing appended to it and matched the username in the group.
From CLI:
show user group name "nameofgroup"
>> Make sure the name is listed there
tail follow yes mp-log authd.log
Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing.
Dominic
11-20-2012 06:03 PM
4.1.9 now - was 4.1.7 at the time I posted the question
11-20-2012 06:22 PM
Dominic Burns wrote:
Also make sure the login name has nothing appended to it and matched the username in the group.
From CLI:
show user group name "nameofgroup"
>> Make sure the name is listed there
tail follow yes mp-log authd.log
Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing.
Dominic
The first command definitely shows all users in the group concerned.
[abbreviated and offuscated list]
darren@Gate(active)> show user group name domain\vpn-users
group short name: domain\vpn-users
[...]
[15 ] domain\darren.gibbs
[...]
So, you can see I am in the group, and the firewall recognises I am in the group.
Doing the second (I removed myself from the individual allow-list configuration and relied on the AD group membership) got me this
Nov 21 13:16:15 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs
Nov 21 13:16:15 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'>
Nov 21 13:16:15 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES
Nov 21 13:16:15 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed
Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed
Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False.
Nov 21 13:16:15 User 'darren.gibbs' failed authentication. Reason: User is not in allowlist From: 110.142.210.164.
Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Nov 21 13:16:15 pan_authd_generate_system_log(pan_authd.c:897): CC Enabled=False
Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Any further suggestions welcomed.
11-20-2012 06:48 PM
Hi Darren,
In the allow list is the group listed in the "domain\groupname" format or as a DN string? In 4.1.9 when you add an allow list entry the drop down is populated with the DN string representing the group, we have seen issues where this format doesn't match to the group lists on the firewall. Could you try to enter the group to the allow list in the "domain\groupname" format and see if there is a change?
Thanks,
-- Kevin
11-20-2012 06:54 PM
Currently, it's configured as a DN string. I will change to "domain\groupname" format and see how it goes.
Thanks
11-20-2012 06:59 PM
Kevin.
No good. Same result. Authentication failed.
Darren
11-20-2012 07:26 PM
In my previous (now deleted) reply, I've spoken too soon.
when I hit the web portal (where you can download the GlobalProtect client from), it authenticates, and appears to work fine.
When I actually use the GlobalProtect *client*, the authentication fails.
This is what happens when I hit the web portal
Nov 21 14:22:34 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:v:p:n:users_0
Nov 21 14:22:34 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=Administrator,CN=Users,DC=domain,DC=corp
Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=domain,DC=corp' for (sAMAccountName=darren.gibbs) (userAccountControl)
Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=Darren Gibbs,OU=T,OU=BO,OU=AU,DC=domain,DC=corp
Nov 21 14:22:34 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 66048
Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 66048
Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:689): Password doesn't expire for username darren.gibbs
Nov 21 14:22:34 authentication succeeded for user <vsys1,VPNUsers,domain\darren.gibbs>
Nov 21 14:22:34 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: domain\darren.gibbs authresult auth'ed
Nov 21 14:22:34 Request received to unlock vsys1/VPNUsers/domain\darren.gibbs
Nov 21 14:22:34 User 'aicorp\darren.gibbs' authenticated. From: xxx.www.yyy.zzz.
However, when I use the GlobalProtect CLIENT, this is what I get
Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3659): localprofile sync triggered via sysd
Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3679): get local info for vsys1/VPNUsers
Nov 21 14:24:57 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs
Nov 21 14:24:57 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'>
Nov 21 14:24:57 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES
Nov 21 14:24:57 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed
Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed
Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False.
Nov 21 14:24:57 User 'darren.gibbs' failed authentication. Reason: User is not in allowlist From: xxx.www.yyy.zzz
So what gives? Why does it work with one authentication (via the web portal), and not with the actual VPN client??
Anyone?
11-20-2012 07:56 PM
Can you verify in your LDAP profile that the domain is specified? It appears that when you login via GP your user is recognized as just "darren.gibbs", without the domain. If the domain is not appended to the username then the group matching will fail since the firewall will compare the user string against the member list which all have the domain included.
11-20-2012 07:59 PM
Where do I do that? As far as I know, it is, but I followed a rather old document based on V3 PA software in setting this up, so I could have done something wrong somewhere.
11-20-2012 08:06 PM
Yee Ha! Found it! And what's more, it works! Login via the web portal *and* the GlobalProtect client works!! You're a legend, Kevin! Thanks so much for your input!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
