PAN OS 5.0 and AD authentication problem

Thank You it worked but its pretty annoying that i have to change my OU to let PA work properly i hope they will fix it.

Hi Albert

can you post a picture of your LDAP config from your firewall. I've having some logon issues with pre-logon and I think it might be related.

Thanks.

djrodb - I could not paste a picture, would have to obfuscate it and that would not help you But I exported the config to xml and edited it:

      <ldap>
        <entry name="AD-DCs">
          <server>
            <entry name="AD-PDC">
              <port>389</port>
              <address>10.10.10.10</address>
            </entry>
            <entry name="AD-BDC">
              <port>389</port>
              <address>10.10.10.11</address>
            </entry>
          </server>
          <ldap-type>active-directory</ldap-type>
          <timelimit>30</timelimit>
          <bind-timelimit>30</bind-timelimit>
          <ssl>no</ssl>
          <base>DC=imagine,DC=local</base>
          <bind-dn>pa500@imagine</bind-dn>
          <bind-password>Hashed_Password</bind-password>
          <domain>imagine</domain>
          <retry-interval>3</retry-interval>
        </entry>
      </ldap>

That is a working configuration for Active Directory domain imagine.local with Primary and Backup Domain Controllers.

Could you say more about your difficulties? What do you mean by "pre-logon"?

Hi Albert

pre-logon is a feature of the GP VPN client. The pre-logon function uses certificates and ldap authentication to lo the user into the laptop before you actually press crt alt del to log on. This allow you to run login scripts and patches on all remote laptops that come in via the VPN.

My problem is the pre-logon feature isn't working 'pre logon' as I get user authentication errors. When I actually log onto the box and log in as normal the GP client logs me onto the network. So it works post-logon but not pre-logon.

My ldap setting match yours so it doesn't seem to be that.

Thanks for your help.

Rod

djrodb - Oh, it is a PAN-OS 5.0 feature (just checked it). I currently do not have any box on it in production so can not help you with any experience. However:

1. Have you configured pre-logon according to: https://live.paloaltonetworks.com/docs/DOC-4209 ?

2. Have you tried configuring Kerberos authentication in place of LDAP?

3. What entries are in the log of the Global Protect client on the machine failing authentication?

I think you have problems related to certificates, as you can establish VPN using only LDAP credentials (method you use post-logon).

Please keep me updated on your progress, this feature is interesting.

I will try to implement it in lab if time allows.

Hi Albert.

I've finally got this working. The problem was me settings in the GP portal config. I originally selected the LDAP group I'd configured under the user/user group setting in the GP portal client config.

I changed this to any and it resolved the problem. This feature works really good.

Thanks for you help.

Glad you made it

Hi Albert_C,

   Could you show an example of how to specify the group you want to list with the command "

show user group name <group name>" ?

thanks

Art

ArtBahrs - sorry for the late replay, I was swamped with work.

Easiest is to type: show user group name and press TAB - PAN CLI will show available choices (groups).

You can specify short and long format:

show user group name example\bu-personal

is identical as:

show user group name cn=bu-personal,ou=general,ou=groups,dc=example,dc=org

If group contains spaces (or other unwanted characters) you will have to enclose it in double quotes:

show user group name "cn=domain admins,cn=users,dc=example,dc=org"

show user group name "example\domain admins"

Refer to djrodb Dec 10, 2012 1:50 AM

I would like to know logon script working on our GP Pre-logon. We had an issue that logon script is not working if we put group either  domain\user group or LADP format  cn=network_tech,ou=groups,dc=domain,dc=com but if we put any in source user in security rule and authentication profile it will works. For LADP config. We leave domain name empty which is suggested by Tech. GP user can authenticate without problem and go to network resource and map drive manually but logon scripts is not working. Please share your experience if possiable

Thank you

Daniel

daniel.li@tcdsb.org - if I understand you correctly Windows' logon scripts are not working when you put specific user or group in security rule?

Please refer to: https://live.paloaltonetworks.com/docs/DOC-2020 for comprehensive information about configuring GlobalProtect.

Reason why scripts are not working with specific user/group in security rule is:

All pre-logon VPN connection will report a generic “pre-logon user” to User-ID. Username

is not known at the time the connection is established. Username is reported to gateway

once the user logs in to machine.

Taken from GlobalProtect Configuration Tech Note.

Thanks Albert. There are two places to add user/group (authentication profile and security policy)

If both place are Any. logon script will NOT work in our case. I have not tried one Any one user/Group. Basically we only allow staff to get authenticated not Students. We followed Doc 2020 for setup. Is there fix to get logon script working with pre-logon SSO setting. My understanding for pre-logon with SSO

1. User (not in office network) with pre config wired or wilress internet connection, power up machine without logon window. Pre-logon is already established between user laptop GP client to PA portal

2. user login with AD user and GP starts to connect using AD user (SSO) and then user starts logon  corp domain/scripts/drive mapping

Not sure if Palo Alto staff use pre-log feature to get home drive mapped at home. We use Juniper/Cisco and it works well.