- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-18-2018 01:12 PM
PA220, PANOS 8.1.1
Working on setting up GlobalProtect using AD/LDAP auth and groups to define access.
I have userconfigs setup by AD Group and the log is "matching config not found"
On digging into it some more, it appears that the user, in the PA, doesn't have the appropriate groups attached. Despite that they do in AD.
AD Group has four members. Three of the members show up in the PA. The fourth does not.
show user user-ids match-user domain\ProblemUser returns an empty table. While the other three users in the group return complete information as expected.
Account is functional and has full access to what all it's supposed to from the AD side of things.
I've done a debug user-id reset group-mapping all and I'm still having the same issues.
Where should I start troubleshooting from here?
06-20-2018 01:47 PM - edited 06-21-2018 11:42 AM
Update.
After banging our head on it a lot lately, we finally found that adding the Domain Users group to the GroupMapping resolved the issue.
Unclear why this is the case, but maybe it'll help someone else in the future.
edited to improve clarity
06-18-2018 01:32 PM
Is the problematic user in the same OU as the other three? Or more specific: is the user in an OU that is covered by the base DN that you specified in the LDAP server profile?
06-18-2018 01:33 PM
All four users are in the same OU and are covered by the Base DN.
06-18-2018 01:39 PM
When you do the opposite as you already did with the command "show user group name GROUPNAME", there the problem user is also missing right?
06-18-2018 01:43 PM
Correct, ProblemUser does not show up as a member of the group in the PA.
06-18-2018 01:56 PM
Is - for whatever reason - the user in an exclude list or excluded in the LDAP filter in the Group mapping settings?
06-18-2018 01:58 PM
Nope, I don't have anything in the excludes.
Group Mapping is only looking at the AD Group.
06-19-2018 08:59 AM
i assume you are using different AD accounts for user administration and ldap, it may be worth setting up another ldap profile with the full admin account and re test “show user group name..” . just to ensure the user is not masked somehow within AD.
06-19-2018 09:10 AM
The account in question isn't setup for admin rights to the PA, only auth for the GP portal.
The LDAP Admins group is working correctly and shows up in the "show user group name" as expected.
I'm using a single LDAP Server Profile setup in the PA.
GroupMapping then is looking for specific groups. and then GP is limited further by group membership.
Did I follow you correctly?
06-19-2018 09:15 AM
I dont think you understood me.. sorry....
nothing to do with pa admins...
your ldap profile has a bind account and password.
when you administer your domain i assume you are using a different account to the bind one...
try that AD admin account as your ldap bind.
06-19-2018 09:22 AM
Okay, I follow you now.
I just switched to my domain admin and now the group membership shows correctly.
Now I'll go talk to the AD admin and find out what needs to happen to make this work.
Thanks for your input!
I'll update if/when I find the cure.
06-19-2018 09:28 AM
Nice one, sorry for the confusion....
06-20-2018 01:47 PM - edited 06-21-2018 11:42 AM
Update.
After banging our head on it a lot lately, we finally found that adding the Domain Users group to the GroupMapping resolved the issue.
Unclear why this is the case, but maybe it'll help someone else in the future.
edited to improve clarity
06-20-2018 02:41 PM
So you really had to add a single user to the group mapping? ... sounds like a bug to me ...
You could try to update to 8.1.2 ... maybe your lucky and then it "magically" works.
06-21-2018 11:42 AM
@Remo No, I had to add the group Domain Users to the Group Mapping to get the details on the users to show correctly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!