11-29-2012 04:46 AM
Hello
I have a little problem with my PA-5020. After upgrading OS to a 5.0 version my user authentication to log on as an administrator from ldap and kerberos doesn`t work. I had user mapped to an allowed list by AD group:
cn=administratorzy paloalto,ou=urzĄdzenia,ou=grupy zasobÓw,dc=my,dc=domain,dc=name,
it was working fine with os 4.X but after updating to a 5.0 i got errors:
User 'my.domain.name\myuser' failed authentication. Reason: User is not in allowlist From: x.x.x.x
After adding user directly ("my.domain.name\myuser") to allow list it works perfectly.
At first i thought it was problem with my OU names containing ó,ą which are polish letters, but i moved that group to a different OU without theme and it still doesn`t work.
It looks like PA doesn`t see members of my groups.
Weird thing is that I also have policy based on user belonging to a different groups and that mapping works fine.
04-24-2013 01:28 PM
daniel.li@tcdsb.org - What about the third place in which you can add user/group, GlobalProtect Portal Client Configuration? Does pre-logon is successfully establishing connection, apart from running scripts?
04-24-2013 01:32 PM
3rd place is default=Any, we did not touch 3rd place in our test.
04-24-2013 01:33 PM
Sorry i missed the question everything is working except the script=drive mapping
04-24-2013 02:02 PM
daniel.li@tcdsb.org - now I am utterly confused.
First you wrote:
We had an issue that logon script is not working if we put group either domain\user group or LADP format cn=network_tech,ou=groups,dc=domain,dc=com but if we put any in source user in security rule and authentication profile it will work
Then:
If both place are Any. logon script will NOT work in our case
I do not know what works for you, and what does not.
04-25-2013 06:46 AM
Sorry. I had incorrect information in my previous emails
Script working setting: Any/Any/Any setting in the 3 places (security policy/authentication profile --we used Radius/portal client configuration)
Script not working: Domain/group name or cn=xxx format/domain/group name or cn=xxx/Any
Note: cn=xxxx are defined in Group mapping under User identification.
Thank you for your time to help on this issue
04-25-2013 07:56 AM
daniel.li@tcdsb.org - I believe my first post on this issue clarified it.
You can always change the user for "pre-logon".
04-25-2013 08:40 AM
Thanks I see the info in page 52 of Doc. So How can we get script working when user is not in office based on the AD group. I see page 336 of PA5.0 Admin guide about Pre-logon details.(including drive mapping) what setting are missing in my configuration (add pre-logon as user in security policy and authentication profile ?) Have you get script working in either lab or production ?
04-25-2013 10:52 AM
I understand that you want to map different drives to different groups, yes?
What method do you use to mount drives - logon scripts or Group Policy? Have you tried both?
Have you enabled Single Sign On in GlobalProtect configuration?
Can you post your GlobalProtect configuration (xml format)?
Personally I have not implemented pre-logon anywhere yet, but I will.
04-25-2013 01:32 PM
logon scripts or Group Policy?----logon script via AD (not using GP)
SSO is enabled. There is bug in 5.0.3 we revert back to 4.x. so not able to provide xml. but I need to know if anyone had it successful deployed. I can provide you case # if you have access to support portal
04-25-2013 02:32 PM
I have successfully deployed GP and run logging scripts automatically post login. There is few issues though....
1st issue - We ran into a major bug in PAN OS 5.0 - 5.2 that resulted in internet connection drop outs. We had to revert back to 4.1.8. GP was not the cause of the bugs.
2nd issue - We've not upgraded to PAN OS 5.x yet - waiting until 5.0.8 or later....
You need to make sure you install the correct certificate and the certificate is located in both stores on the local pc.
You need to make sure you GP configuration is correct, As I don't have PAN OS 5 I can't post pictures - however if you can, I can advise what is correct or missing
You can check the VPN connection details view (Under VPN settings where you can view VPN session info) You boot your laptop and watch for the certificate authenticating on this view - before you press ctrl al del - this will tell you if your certificate configuration is good. If you authenticate pre logon then the problem is with GP VPN configuiraiton on PAN device.
You need to make sure the certificate for pre-logon has pre-logon as its ID if the client certificate is not name pre-login then you will have trouble...
That's all for now - the trick is to get certificate authentication before you press crtl alt del - you can check in the VPN session view in GP VPN configuration - if you certificate authenticates then running the login script will follow automatically when you log in.
It does work, I know it does.
Hope this helps
Rod
04-26-2013 09:13 AM
Thank you Rod. Glad to know that script is working on your network
1. 1st issue-- Are you using PA as corp firewall or just Vwire. we got two bugs after upgrading to 5.0.3 with network, we rolled back to 4.1.7h2. Currently waiting for last one bug fix
2. 2nd issue-- I had some screen shots of setting (not all) Basically we followed https://live.paloaltonetworks.com/docs/DOC-2020. Cert is on tested laptop and we did see pre-logon in admin webgui before alt,del and ctrl keys are pressed. We unchecked Ipsec and use SSL only. but we did not put pre-logon (we use any) in source user client configuration on page 50 of DOC-2020
Question: Do you leave blank on LDAP configuration under Domain section ?
Is VPN connection detail on GP client or on Admin GUI ?
I am also waiting for bug fix ( we have already been hit by lots of bugs). So we have 85% CPU on Dataplane not sure what your DP usage during peak hours. Will do the GP test on the new firmware
Thank you
Daniel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
