10-06-2014 02:13 PM
I'm missing _something_. Setup as below and I cannot login with the domain name account to the VPN. It's got to be one .. little .... thing.
Device - Setup - Services - Services Features: Service Route Configuration / Destination
Device - Server Profiles - LDAP - created server profile 'Windstream-AD'
Server
Unchecked SSL
Entered NetBIOS domain name
Type: Active Directory
Clicked the Base Drop down and voila: I got a base LDAP information, all filled in.
Entered BIND DN and valid credentials.
Device - User Identification - Group Mapping Settings
Found the Server Profile 'Windstream-AD'
Click 'Group Include List'
and it found the list <netbiosname>\ns-vpnusers
And .. now what? Is there something else? The two users in the group ns-vpnusers cannot login with their domain credentials.
Man - what am I missing?
10-06-2014 02:15 PM
Could you verify if the login attribute in the authentication profile is set to sAMAccountName ?
Also have you specified any users in the allow-list, I will first suggest you to try with "all" in allow-list
10-06-2014 02:26 PM
Also have you specified any users in the allow-list,
Device - Authentication Profile
Name: Active Directory
Allow List: All
login attribute in the authentication profile is set to sAMAccountName ?
I don't see a login attribute there. But in Device - User Identification - Group Mapping Settings ..
Name: Windstream AD
User Objects - user name 'sAMAccountName'
EDIT
Correction to the above - I put 'sAMAccountName' in the auth profile 'login attribute'. Committed. Same issue.
10-06-2014 02:35 PM
Yes, I realized my mistake (see edit). I inserted that value there: no dice.
10-06-2014 02:39 PM
Hello,
Also make sure that you have set the user's AD account settings to allow the user to log onto "all computers" instead of the the "following computers".
Hope this helps.
Thanks
Tilak
10-06-2014 02:40 PM
Could you type following command on CLI:
tail follow yes mp-log authd.log
Now try to login through global protect and paste the output of above command here.
10-06-2014 02:51 PM
Interesting: LOCAL_CP is one of three auth profiles on the device. The others are
Keberos Auth - using this to login admin accounts authorized to Active Directory
Windstream Active Directory - this is my problem child, right now.
AD account is first.last
login as first.last
2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar
2014-10-06 16:48:50.484 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar'>
2014-10-06 16:48:50.493 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,brian.dunbar>
2014-10-06 16:48:50.494 -0500 authentication failed for local user <brian.dunbar(orig:brian.dunbar),LOCAL_GP,vsys1>
2014-10-06 16:48:50.494 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: brian.dunbar authresult not auth'ed
2014-10-06 16:48:50.510 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2014-10-06 16:48:50.510 -0500 User 'brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.
2014-10-06 16:48:50.510 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
login as netbios\first.last
2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: corp-cicayda\brian.dunbar
2014-10-06 16:49:03.996 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','corp-cicayda\brian.dunbar'>
2014-10-06 16:49:04.011 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>
2014-10-06 16:49:04.011 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:corp-cicayda\brian.dunbar),LOCAL_GP,vsys1>
2014-10-06 16:49:04.011 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed
2014-10-06 16:49:04.021 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2014-10-06 16:49:04.021 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.
2014-10-06 16:49:04.021 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
login as first.last@post-windows-2000.domain
2014-10-06 16:49:21.859 -0500 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: brian.dunbar@corp.cicayda.com
2014-10-06 16:49:21.860 -0500 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'vsys1','LOCAL_GP','brian.dunbar@corp.cicayda.com'>
2014-10-06 16:49:21.869 -0500 debug: pan_localdb_authenticate(pan_authd_localdb_utils.c:133): No such user <vsys1,LOCAL_GP,corp-cicayda\brian.dunbar>
2014-10-06 16:49:21.869 -0500 authentication failed for local user <corp-cicayda\brian.dunbar(orig:brian.dunbar@corp.cicayda.com),LOCAL_GP,vsys1>
2014-10-06 16:49:21.869 -0500 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: corp-cicayda\brian.dunbar authresult not auth'ed
2014-10-06 16:49:21.881 -0500 debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.
2014-10-06 16:49:21.881 -0500 User 'corp-cicayda\brian.dunbar' failed authentication. Reason: Invalid username/password From: 216.55.49.134.
2014-10-06 16:49:21.881 -0500 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False
EDIT
It looks like the problem is that vsys1 is associated with 'LOCAL_GP'. So .. I need to define a new virtual system (vsys2?) and associate that with LDAP.
I'm skimming virtual systems docs - very slick. I'm liking PAN more, and more. Once I get it working I might well fall in love with it ...
EDIT
Nope. I was wrong. But looking to fix the above I made it right ...
Network - Global Protect - Portals - edit ..
Authentication from 'GP_Portal' (what we had setup for local access prior to getting AD stood up) to 'Windstream Active Directory' aka the profile I setup for LDAP/AD.
And I'm in. Groovy. Thanks!
10-06-2014 03:09 PM
Could you also check the domain controller logs at the same time ? Also make sure the user has not been locked out due to multiple failure attempts.
Hope it helps !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
