I am running 4.1.1 and I am having issues authenticating Global Protect 1.1.1 clients via AD. I know my LDAP server settings are correct as I can browse the workgroups in User-ID Group Mappings. Howver I can't browse these in the 'allow-list' in the authentication profile (the only option is the ALL default.
With AD I get 'invalid username & password' logs. I have tested connectivity succesfully using the local user database. Is anyone else experiencing this and have they found a fix?
During initial debugging, you may want to set "Update Interval" for "Group Mapping Settings" seen under "Device" tab - "User Identification". Click on the group mapping name and set "Update Interval" to something like 60 seconds (valid range is 60 to 86400 seconds).
Then connect to the firewall using CLI via SSH client. Few useful CLI commands can be tried as follows:
show user group-mapping state all
show user group-mapping statistics
In the output of above commands, check that "Number of Groups" is not zero. If it is zero, verify that you are not using * as wildcard under "Search Filter" field in Group Mapping configuration. For example, if you are searching for a group starting with words vpn do not enter search filter like "vpn*" but just enter "vpn".
Once the group mapping starts showing results, you can revert "Update Interval" to somewhat longer instaed of 60 seconds.
Hope this helps.
I think if user is not found by PA device in the group-name seen under "Allow List" then the system log will show "Authentication Failed: Invalid Username or Password". That may be misleading.If you set filter when viewing logs, as eventtype=GlobalProtect, then you might miss other log where eventtype=general.
If you do not set any filter, does the log also show event=auth-fail and description like "user xyz failed authentication. Reason: User is not in allowlist"? It may be something like attached screen sample.
We have has GlobalProtect installed and working for nearly a year. As soon as we upgraded to 4.1.2 software and 1.1.1 GP client, it stopped working externally. When trying to connect it just gets hung up on "Connecting" and never get through to the Portal to authenticate. Reverted software to 4.0.5 and GP client to 1.0.5 and everything works as it should.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!