PAN-200 and Active Directory - Part II

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-200 and Active Directory - Part II

L3 Networker
  • PAN-200 Software version: 6.0.1
  • GlobalProtect Agent: 2.0.4
  • New domain, built on Windows Server 2012 R2.

I'm missing _something_.   Setup as below and I cannot login with the domain name account to the VPN.  It's got to be one .. little .... thing.

Device - Setup - Services - Services Features: Service Route Configuration / Destination

  • Destination: <ip of domain controller>
  • Source Interface: Any
  • Source Address: 209.59.29.193/26

Device - Server Profiles - LDAP - created server profile 'Windstream-AD'

Server

  •   Name: tn-ad-01
  •   LDAP Server: <redacted IP>
  •   Port: 389

Unchecked SSL

Entered NetBIOS domain name

Type: Active Directory

Clicked the Base Drop down and voila: I got a base LDAP information, all filled in.

Entered  BIND DN and valid credentials.

Device - User Identification - Group Mapping Settings

Found the Server Profile 'Windstream-AD'

Click 'Group Include List'

and it found the list <netbiosname>\ns-vpnusers

And .. now what? Is there something else?  The two users in the group ns-vpnusers cannot login with their domain credentials.

Man - what am I missing?

9 REPLIES 9

L5 Sessionator

bdunbar

Could you verify if the login attribute in the authentication profile is set to sAMAccountName ?

Also have you specified any users in the allow-list, I will first suggest you to try with "all" in allow-list

Also have you specified any users in the allow-list,

Device - Authentication Profile

Name: Active Directory

Allow List: All

login attribute in the authentication profile is set to sAMAccountName ?


I don't see a login attribute there.  But in Device - User Identification - Group Mapping Settings ..

Name: Windstream AD

User Objects - user name 'sAMAccountName'


EDIT

Correction to the above - I put 'sAMAccountName' in  the auth profile 'login attribute'.  Committed. Same issue.

bdunbar

I am referring to this attribute:

sAMAccountName.JPG

Yes, I realized my mistake (see edit).  I inserted that value there: no dice.

Hello,

Also make sure that you have set the user's AD account settings to allow the user to log onto "all computers" instead of the the "following computers".

Hope this helps.

Thanks

Tilak

Could you type following command on CLI:

tail follow yes mp-log authd.log

Now try to login through global protect and paste the output of above command here.

Interesting: LOCAL_CP is one of three auth profiles on the device.  The others are

Keberos Auth - using this to login admin accounts authorized to Active Directory

Windstream Active Directory - this is my problem child, right now.

AD account is first.last

login as first.last

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar

2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar'>

2014-10-06 16:48:50.493 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,brian.dunbar>

2014-10-06 16:48:50.494 -0500 authentication failed for local user <brian.dunbar(orig:brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:48:50.494 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: brian.dunbar authresult not auth'ed

2014-10-06 16:48:50.510 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:48:50.510 -0500 User 'brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:48:50.510 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

login as netbios\first.last

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: corp-cicayda\brian.dunbar

2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','corp-cicayda\brian.dunbar'>

2014-10-06 16:49:04.011 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:04.011 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:corp-cicayda\brian.dunbar),LOCAL_GP,vsys1>

2014-10-06 16:49:04.011 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:04.021 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:04.021 -0500 User 'corp-cicayda\brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:04.021 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

login as first.last@post-windows-2000.domain

2014-10-06 16:49:21.859 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar@corp.cicayda.com

2014-10-06 16:49:21.860 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar@corp.cicayda.com'>

2014-10-06 16:49:21.869 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>

2014-10-06 16:49:21.869 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:brian.dunbar@corp.cicayda.com),LOCAL_GP,vsys1>

2014-10-06 16:49:21.869 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed

2014-10-06 16:49:21.881 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.

2014-10-06 16:49:21.881 -0500 User 'corp-cicayda\brian.dunbar' failed authentication.  Reason: Invalid username/password From: 216.55.49.134.

2014-10-06 16:49:21.881 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

EDIT

It looks like the problem is that vsys1 is associated with 'LOCAL_GP'.  So .. I need to define a new virtual system (vsys2?) and associate that with LDAP.

I'm skimming virtual systems docs - very slick. I'm liking PAN more, and more.  Once I get it working I might well fall in love with it ...

EDIT

Nope. I was wrong.  But looking to fix the above I made it right ...

Network - Global Protect  - Portals - edit ..

Authentication from 'GP_Portal' (what we had setup for local access prior to getting AD stood up) to 'Windstream Active Directory' aka the profile I setup for LDAP/AD.

And I'm in.  Groovy.  Thanks!

Could you also check the domain controller logs at the same time ? Also make sure the user has not been locked out due to multiple failure attempts.

Hope it helps !

  • 4723 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!