LDAP groups not populating correctly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAP groups not populating correctly

L3 Networker

PA220, PANOS 8.1.1

Working on setting up GlobalProtect using AD/LDAP auth and groups to define access. 
I have userconfigs setup by AD Group and the log is "matching config not found" 
On digging into it some more, it appears that the user, in the PA, doesn't have the appropriate groups attached. Despite that they do in AD. 

AD Group has four members. Three of the members show up in the PA. The fourth does not. 
show user user-ids match-user domain\ProblemUser  returns an empty table. While the other three users in the group return complete information as expected. 
Account is functional and has full access to what all it's supposed to from the AD side of things. 

I've done a debug user-id reset group-mapping all and I'm  still having the same issues. 

Where should I start troubleshooting from here? 

21 REPLIES 21

so... to confirm...

 

your portal agent config is set to a certain group, but the full group only works if you add "domain users" to the group mapping "group include" list.

 

or...

 

you have just added the users individually in the portal agent config and this only works when you add "domain users" to the group mapping "group include" list..

 

or none of the above....

 

Portal config is set by AD Group. 
When I only put the usergroups I'm selecting into the Auth Profile, it only works for some users. 
When I put the usergroups I want for GP Auth AND add the group "Domain Users" to the Auth Profile, then all the users work. 

so in effect... your are granting GP access to all users, or have i missed something here...

cancel that, let me read that again....

Sorta, but not really. 
All users will get authenticated, but won't be allowed access because they won't have a matching config in GP. 

so....     user-group in "server profile" and user-group in "portal agent" only allows some users in the user-group (not sure what your group is called)..

 

but domain users group in "server profile" and user-group in "portal agent" allows all users in user-group to authenticate and get portal config.

 

 

 

VPNUsers <- AD Group

Domain Users <- AD Group. 

AuthProfile must contain VPNUsers AND Domain Users for VPNUsers to be able to auth against the GP Gateway Client Config. 
GP Gateway Client Config ONLY contains VPNUsers. 
Anyone that's not a member of VPNUsers will be able to auth, but not connect as there's no matching profile for their user account. 

  • 11864 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!