PAN OS 5.0 and AD authentication problem

Reply
Highlighted
L3 Networker

Hi Albert_C,

   Could you show an example of how to specify the group you want to list with the command "

show user group name <group name>" ?

thanks

Art


Highlighted
L3 Networker

ArtBahrs - sorry for the late replay, I was swamped with work.

Easiest is to type: show user group name and press TAB - PAN CLI will show available choices (groups).

You can specify short and long format:

show user group name example\bu-personal

is identical as:

show user group name cn=bu-personal,ou=general,ou=groups,dc=example,dc=org

If group contains spaces (or other unwanted characters) you will have to enclose it in double quotes:

show user group name "cn=domain admins,cn=users,dc=example,dc=org"

show user group name "example\domain admins"

Highlighted
L2 Linker

Refer to djrodb Dec 10, 2012 1:50 AM


I would like to know logon script working on our GP Pre-logon. We had an issue that logon script is not working if we put group either  domain\user group or LADP format  cn=network_tech,ou=groups,dc=domain,dc=com but if we put any in source user in security rule and authentication profile it will works. For LADP config. We leave domain name empty which is suggested by Tech. GP user can authenticate without problem and go to network resource and map drive manually but logon scripts is not working. Please share your experience if possiable


Thank you


Daniel




Highlighted
L3 Networker

daniel.li@tcdsb.org - if I understand you correctly Windows' logon scripts are not working when you put specific user or group in security rule?

Please refer to: https://live.paloaltonetworks.com/docs/DOC-2020 for comprehensive information about configuring GlobalProtect.

Reason why scripts are not working with specific user/group in security rule is:

All pre-logon VPN connection will report a generic “pre-logon user” to User-ID. Username

is not known at the time the connection is established. Username is reported to gateway

once the user logs in to machine.

Taken from GlobalProtect Configuration Tech Note.

Highlighted
L2 Linker

Thanks Albert. There are two places to add user/group (authentication profile and security policy)

If both place are Any. logon script will NOT work in our case. I have not tried one Any one user/Group. Basically we only allow staff to get authenticated not Students. We followed Doc 2020 for setup. Is there fix to get logon script working with pre-logon SSO setting. My understanding for pre-logon with SSO

1. User (not in office network) with pre config wired or wilress internet connection, power up machine without logon window. Pre-logon is already established between user laptop GP client to PA portal

2. user login with AD user and GP starts to connect using AD user (SSO) and then user starts logon  corp domain/scripts/drive mapping

Not sure if Palo Alto staff use pre-log feature to get home drive mapped at home. We use Juniper/Cisco and it works well.

Highlighted
L3 Networker

daniel.li@tcdsb.org - What about the third place in which you can add user/group, GlobalProtect Portal Client Configuration? Does pre-logon is successfully establishing connection, apart from running scripts?

Highlighted
L2 Linker

3rd place is default=Any, we did not touch 3rd place in our test.

Highlighted
L2 Linker

Sorry i missed the question everything is working except the script=drive mapping

Highlighted
L3 Networker

daniel.li@tcdsb.org - now I am utterly confused.

First you wrote:

We had an issue that logon script is not working if we put group either  domain\user group or LADP format  cn=network_tech,ou=groups,dc=domain,dc=com but if we put any in source user in security rule and authentication profile it will work

Then:

If both place are Any. logon script will NOT work in our case

I do not know what works for you, and what does not.

Highlighted
L2 Linker

Sorry. I had incorrect information in my previous emails

Script working setting: Any/Any/Any setting in the 3 places (security policy/authentication profile --we used Radius/portal client configuration)

Script not working:      Domain/group name or cn=xxx format/domain/group name or cn=xxx/Any

Note: cn=xxxx are defined in Group mapping under User identification.

Thank you for your time to help on this issue

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!