PAN 4.1.1 Global Protect client and LDAP

Showing results for 
Search instead for 
Did you mean: 

PAN 4.1.1 Global Protect client and LDAP

L1 Bithead

I am running 4.1.1 and I am having issues authenticating Global Protect 1.1.1 clients via AD. I know my LDAP server settings are correct as I can browse the workgroups in User-ID Group Mappings. Howver I can't browse these in the 'allow-list' in the authentication profile (the only option is the ALL default.

With AD I get 'invalid username & password' logs. I have tested connectivity succesfully using the local user database. Is anyone else experiencing this and have they found a fix?


L1 Bithead

During initial debugging, you may want to set "Update Interval" for "Group Mapping Settings" seen under "Device" tab - "User Identification". Click on the group mapping name and set "Update Interval" to something like 60 seconds (valid range is 60 to 86400 seconds).

Then connect to the firewall using CLI via SSH client. Few useful CLI commands can be tried as follows:

show user group-mapping state all

show user group-mapping statistics

In the output of above commands, check that "Number of Groups" is not zero. If it is zero, verify that you are not using * as wildcard under "Search Filter" field in Group Mapping configuration. For example, if you are searching for a group starting with words vpn do not enter search filter like "vpn*" but just enter "vpn".

Once the group mapping starts showing results, you can revert "Update Interval" to somewhat longer instaed of 60 seconds.

Hope this helps.

This is all fine. User-ID querying to AD is fine but remote VPN access using AD returns 'invalid username/password'. I have setup an LDAP profile that calls on the same server as User-ID utilises so am at a loss as to why this is not working.

I think if user is not found by PA device in the group-name seen under "Allow List" then the system log will show "Authentication Failed: Invalid Username or Password". That may be misleading.If you set filter when viewing logs, as eventtype=GlobalProtect, then you might miss other log where eventtype=general.

If you do not set any filter, does the log also show event=auth-fail and description like "user xyz failed authentication. Reason: User is not in allowlist"? It may be something like attached screen sample.

L3 Networker

We have has GlobalProtect installed and working for nearly a year.  As soon as we upgraded to 4.1.2 software and 1.1.1 GP client, it stopped working externally.  When trying to connect it just gets hung up on "Connecting" and never get through to the Portal to authenticate.  Reverted software to 4.0.5 and GP client to 1.0.5 and everything works as it should.

L3 Networker

One other thing to check...Have you checked that your panuid client is working properly?

L1 Bithead

After speaking to PAN they advised not to use the Domain Users group in AD as this uses PrimaryGroupID and not sAMAccountName attribute. They suggested I create a new security policy i.e RemoteVPN and add AD users to this as required. This is now working.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!