LDAP authentication not matching user groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAP authentication not matching user groups

L4 Transporter

Hi.

I've got LDAP authentication configured to allow users into a Global protect portal. I'm 100% sure it works OK, because I can authenticate against it.

Trouble is, I *can't* get it to authenticate against an Active Directory group. if I add individual usernames into the authentication profile used by the Global Protect setup, they work - which is how I know the LDAP is working/

If I add an AD user GROUP to the allow list, it simply doesn't match any users - Global Protect authentication fails with a "user not in allow list" error.

Any suggestions on how I can best troubleshoot/fix this? I don't want to have to modify the Firewall config every time I need to add a new VPN user - especially when other admins can modify the AD groups much more easily.

Thanks.

1 accepted solution

Accepted Solutions

Can you verify in your LDAP profile that the domain is specified?  It appears that when you login via GP your user is recognized as just "darren.gibbs", without the domain.  If the domain is not appended to the username then the group matching will fail since the firewall will compare the user string against the member list which all have the domain included.

View solution in original post

11 REPLIES 11

L5 Sessionator

Darren,

Which version of PAN OS are you running?

L4 Transporter

Also make sure the login name has nothing appended to it and matched the username in the group.

From CLI:

                    

     show user group name "nameofgroup"

>> Make sure the name is listed there

tail follow yes mp-log authd.log

Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing.

Dominic

4.1.9 now - was 4.1.7 at the time I posted the question

Dominic Burns wrote:

Also make sure the login name has nothing appended to it and matched the username in the group.

From CLI:

                  

     show user group name "nameofgroup"

>> Make sure the name is listed there

tail follow yes mp-log authd.log

Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing.

Dominic

The first command definitely shows all users in the group concerned.

[abbreviated and offuscated list]

darren@Gate(active)> show user group name domain\vpn-users

group short name: domain\vpn-users

[...]

[15    ] domain\darren.gibbs

[...]

So, you can see I am in the group, and the firewall recognises I am in the group.

Doing the second (I removed myself from the individual allow-list configuration and relied on the AD group membership) got me this

Nov 21 13:16:15 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs

Nov 21 13:16:15 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'>

Nov 21 13:16:15 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES

Nov 21 13:16:15 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed

Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed

Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False.

Nov 21 13:16:15 User 'darren.gibbs' failed authentication.  Reason: User is not in allowlist From: 110.142.210.164.

Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Nov 21 13:16:15 pan_authd_generate_system_log(pan_authd.c:897): CC Enabled=False

Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

Any further suggestions welcomed.

Hi Darren,

In the allow list is the group listed in the "domain\groupname" format or as a DN string?  In 4.1.9 when you add an allow list entry the drop down is populated with the DN string representing the group, we have seen issues where this format doesn't match to the group lists on the firewall.  Could you try to enter the group to the allow list in the "domain\groupname" format and see if there is a change?

Thanks,

-- Kevin

Currently, it's configured as a DN string. I will change to "domain\groupname" format and see how it goes.

Thanks

Kevin.

No good. Same result. Authentication failed.

Darren

In my previous (now deleted) reply, I've spoken too soon.

when I hit the web portal (where you can download the GlobalProtect client from), it authenticates, and appears to work fine.

When I actually use the GlobalProtect *client*, the authentication fails.

This is what happens when I hit the web portal

Nov 21 14:22:34 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:v:p:n:users_0

Nov 21 14:22:34 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=Administrator,CN=Users,DC=domain,DC=corp

Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=domain,DC=corp' for (sAMAccountName=darren.gibbs) (userAccountControl)

Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=Darren Gibbs,OU=T,OU=BO,OU=AU,DC=domain,DC=corp

Nov 21 14:22:34 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 66048

Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 66048

Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:689): Password doesn't expire for username darren.gibbs

Nov 21 14:22:34 authentication succeeded for user <vsys1,VPNUsers,domain\darren.gibbs>

Nov 21 14:22:34 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: domain\darren.gibbs authresult auth'ed

Nov 21 14:22:34 Request received to unlock vsys1/VPNUsers/domain\darren.gibbs

Nov 21 14:22:34 User 'aicorp\darren.gibbs' authenticated.   From: xxx.www.yyy.zzz.

However, when I use the GlobalProtect CLIENT, this is what I get

Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3659): localprofile sync triggered via sysd

Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3679): get local info for vsys1/VPNUsers

Nov 21 14:24:57 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs

Nov 21 14:24:57 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'>

Nov 21 14:24:57 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES

Nov 21 14:24:57 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed

Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed

Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False.

Nov 21 14:24:57 User 'darren.gibbs' failed authentication.  Reason: User is not in allowlist From: xxx.www.yyy.zzz

So what gives? Why does it work with one authentication (via the web portal), and not with the actual VPN client??

Anyone?

Can you verify in your LDAP profile that the domain is specified?  It appears that when you login via GP your user is recognized as just "darren.gibbs", without the domain.  If the domain is not appended to the username then the group matching will fail since the firewall will compare the user string against the member list which all have the domain included.

Where do I do that? As far as I know, it is, but I followed a rather old document based on V3 PA software in setting this up, so I could have done something wrong somewhere.

Yee Ha! Found it! And what's more, it works! Login via the web portal *and* the GlobalProtect client works!! You're a legend, Kevin! Thanks so much for your input!

  • 1 accepted solution
  • 6897 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!