PAN OS 5.0 and AD authentication problem

Reply
Highlighted
Not applicable

PAN OS 5.0 and AD authentication problem

Hello

I have a little problem with my PA-5020. After upgrading OS to a 5.0 version my user authentication to log on as an administrator from ldap and kerberos doesn`t work. I had user mapped to an allowed list by AD group:

cn=administratorzy paloalto,ou=urzĄdzenia,ou=grupy zasobÓw,dc=my,dc=domain,dc=name,

it was working fine with os 4.X  but after updating to a 5.0 i got errors:

User 'my.domain.name\myuser' failed authentication.  Reason: User is not in allowlist From: x.x.x.x

After adding user directly ("my.domain.name\myuser") to allow list it works perfectly.

At first i thought it was problem with my OU names containing ó,ą which are polish letters, but i moved that group to a different OU without theme and it still doesn`t work.

It looks like PA doesn`t see members of my groups.

Weird thing is that I also have policy based on user belonging to a different groups and that mapping works fine.


Accepted Solutions
Highlighted
L1 Bithead

Re: PAN OS 5.0 and AD authentication problem

I've had exactly the same problem - I worked through it with Palo support and we discovered we had to put the netbios domain name back in the LDAP query (the one we had to remove in 4.1.8) and then the group name had to be in the format domain\groupname rather than the full LDAP path. I also had spaces in the OU name for the account I was doing the LDAP lookup with and found we had to move this to a OU without a space in.

View solution in original post


All Replies
Highlighted
L1 Bithead

Re: PAN OS 5.0 and AD authentication problem

I've had exactly the same problem - I worked through it with Palo support and we discovered we had to put the netbios domain name back in the LDAP query (the one we had to remove in 4.1.8) and then the group name had to be in the format domain\groupname rather than the full LDAP path. I also had spaces in the OU name for the account I was doing the LDAP lookup with and found we had to move this to a OU without a space in.

View solution in original post

Highlighted
Not applicable

Re: PAN OS 5.0 and AD authentication problem

Thank You it worked but its pretty annoying that i have to change my OU to let PA work properly i hope they will fix it.

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

Making OUs with spaces is just asking for trouble ;-)

Few CLI commands for debuging user/group mapping:

debug user-id reset group-mapping all

show user ip-user-mapping ip <IP address>

show user user-IDs match-user <user name>

show user group list

show user group name <group name>

General rule is: use NetBIOS style user/group names.

Run into problems myself when using FQDN (groups were retrieved in FQDN-style but not matched to users which were mapped to group in NetBIOS-style).

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

Hi Albert

can you post a picture of your LDAP config from your firewall. I've having some logon issues with pre-logon and I think it might be related.

Thanks.

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

djrodb - I could not paste a picture, would have to obfuscate it and that would not help you :smileywink: But I exported the config to xml and edited it:

      <ldap>

        <entry name="AD-DCs">

          <server>

            <entry name="AD-PDC">

              <port>389</port>

              <address>10.10.10.10</address>

            </entry>

            <entry name="AD-BDC">

              <port>389</port>

              <address>10.10.10.11</address>

            </entry>

          </server>

          <ldap-type>active-directory</ldap-type>

          <timelimit>30</timelimit>

          <bind-timelimit>30</bind-timelimit>

          <ssl>no</ssl>

          <base>DC=imagine,DC=local</base>

          <bind-dn>pa500@imagine</bind-dn>

          <bind-password>Hashed_Password</bind-password>

          <domain>imagine</domain>

          <retry-interval>3</retry-interval>

        </entry>

      </ldap>

That is a working configuration for Active Directory domain imagine.local with Primary and Backup Domain Controllers.

Could you say more about your difficulties? What do you mean by "pre-logon"?

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

Hi Albert

pre-logon is a feature of the GP VPN client. The pre-logon function uses certificates and ldap authentication to lo the user into the laptop before you actually press crt alt del to log on. This allow you to run login scripts and patches on all remote laptops that come in via the VPN.

My problem is the pre-logon feature isn't working 'pre logon' as I get user authentication errors. When I actually log onto the box and log in as normal the GP client logs me onto the network. So it works post-logon but not pre-logon.

My ldap setting match yours so it doesn't seem to be that.

Thanks for your help.

Rod

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

djrodb - Oh, it is a PAN-OS 5.0 feature (just checked it). I currently do not have any box on it in production so can not help you with any experience. However:

1. Have you configured pre-logon according to: https://live.paloaltonetworks.com/docs/DOC-4209 ?

2. Have you tried configuring Kerberos authentication in place of LDAP?

3. What entries are in the log of the Global Protect client on the machine failing authentication?

I think you have problems related to certificates, as you can establish VPN using only LDAP credentials (method you use post-logon).

Please keep me updated on your progress, this feature is interesting.

I will try to implement it in lab if time allows.

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

Hi Albert.

I've finally got this working. The problem was me settings in the GP portal config. I originally selected the LDAP group I'd configured under the user/user group setting in the GP portal client config.

I changed this to any and it resolved the problem. This feature works really good.

Thanks for you help.

pa.png

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

Glad you made it :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!