PAN OS 5.0 and AD authentication problem

Reply
Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

daniel.li@tcdsb.org - I believe my first post on this issue clarified it.

You can always change the user for "pre-logon".

Highlighted
L2 Linker

Re: PAN OS 5.0 and AD authentication problem

Thanks I see the info in page 52 of Doc. So How can we get script working when user is not in office based on the AD group. I see page 336 of PA5.0 Admin guide about Pre-logon details.(including drive mapping) what setting are missing in my configuration (add pre-logon as user in security policy and authentication profile ?) Have you get script working in either lab or production ?

Highlighted
L3 Networker

Re: PAN OS 5.0 and AD authentication problem

I understand that you want to map different drives to different groups, yes?

What method do you use to mount drives - logon scripts or Group Policy? Have you tried both?

Have you enabled Single Sign On in GlobalProtect configuration?

Can you post your GlobalProtect configuration (xml format)?

Personally I have not implemented pre-logon anywhere yet, but I will.

Highlighted
L2 Linker

Re: PAN OS 5.0 and AD authentication problem

logon scripts or Group Policy?----logon script via AD (not using GP)

SSO is enabled.  There is bug in 5.0.3 we revert back to 4.x. so not able to provide xml. but I need to know if anyone had it successful deployed. I can provide you case # if you have access to support portal

L3 Networker

Re: PAN OS 5.0 and AD authentication problem

I have successfully deployed GP and run logging scripts automatically post login. There is few issues though....

1st issue - We ran into a major bug in PAN OS 5.0 - 5.2 that resulted in internet connection drop outs. We had to revert back to 4.1.8. GP was not the cause of the bugs.

2nd issue - We've not upgraded to PAN OS 5.x yet - waiting until 5.0.8 or later....

You need to make sure you install the correct certificate and the certificate is located in both stores on the local pc.

You need to make sure you GP configuration is correct, As I don't have PAN OS 5 I can't post pictures -  however if you can, I can advise what is correct or missing

You can check the VPN connection details view (Under VPN settings where you can view VPN session info) You boot your laptop and watch for the certificate authenticating on this view - before you press ctrl al del - this will tell you if your certificate configuration is good. If you authenticate pre logon then the problem is with GP VPN configuiraiton on PAN device.

You need to make sure the certificate for pre-logon has pre-logon as its ID if the client certificate is not name pre-login then you will have trouble...

That's all for now  - the trick is to get certificate authentication before you press crtl alt del - you can check in the VPN session view in GP VPN configuration - if you certificate authenticates then running the login script will follow automatically when you log in.

It does work, I know it does.

Hope this helps

Rod

Highlighted
L2 Linker

Re: PAN OS 5.0 and AD authentication problem

Thank you Rod. Glad to know that script is working on your network

1.   1st issue-- Are you using PA as corp firewall or just Vwire. we got two bugs after upgrading to 5.0.3 with network, we rolled back to 4.1.7h2. Currently waiting for last one bug fix

2.   2nd issue-- I had some screen shots of setting (not all) Basically we followed https://live.paloaltonetworks.com/docs/DOC-2020. Cert is on tested laptop and we did see pre-logon in admin webgui before alt,del and ctrl keys are pressed. We unchecked Ipsec and use SSL only.  but we did not put pre-logon (we use any)  in source user client configuration on page 50 of DOC-2020

Question:  Do you leave blank on LDAP configuration under Domain section ?

                Is VPN connection detail on GP client or on Admin GUI ?

I am also waiting for bug fix ( we have already been hit by lots of bugs). So we have 85% CPU on Dataplane not sure what your DP usage during peak hours. Will do the GP test on the new firmware

Thank you

Daniel

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!