PAN OS 5.0 and AD authentication problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN OS 5.0 and AD authentication problem

Not applicable

Hello

I have a little problem with my PA-5020. After upgrading OS to a 5.0 version my user authentication to log on as an administrator from ldap and kerberos doesn`t work. I had user mapped to an allowed list by AD group:

cn=administratorzy paloalto,ou=urzĄdzenia,ou=grupy zasobÓw,dc=my,dc=domain,dc=name,

it was working fine with os 4.X  but after updating to a 5.0 i got errors:

User 'my.domain.name\myuser' failed authentication.  Reason: User is not in allowlist From: x.x.x.x

After adding user directly ("my.domain.name\myuser") to allow list it works perfectly.

At first i thought it was problem with my OU names containing ó,ą which are polish letters, but i moved that group to a different OU without theme and it still doesn`t work.

It looks like PA doesn`t see members of my groups.

Weird thing is that I also have policy based on user belonging to a different groups and that mapping works fine.

25 REPLIES 25

daniel.li@tcdsb.org - What about the third place in which you can add user/group, GlobalProtect Portal Client Configuration? Does pre-logon is successfully establishing connection, apart from running scripts?

3rd place is default=Any, we did not touch 3rd place in our test.

Sorry i missed the question everything is working except the script=drive mapping

daniel.li@tcdsb.org - now I am utterly confused.

First you wrote:

We had an issue that logon script is not working if we put group either  domain\user group or LADP format  cn=network_tech,ou=groups,dc=domain,dc=com but if we put any in source user in security rule and authentication profile it will work

Then:

If both place are Any. logon script will NOT work in our case

I do not know what works for you, and what does not.

Sorry. I had incorrect information in my previous emails

Script working setting: Any/Any/Any setting in the 3 places (security policy/authentication profile --we used Radius/portal client configuration)

Script not working:      Domain/group name or cn=xxx format/domain/group name or cn=xxx/Any

Note: cn=xxxx are defined in Group mapping under User identification.

Thank you for your time to help on this issue

daniel.li@tcdsb.org - I believe my first post on this issue clarified it.

You can always change the user for "pre-logon".

Thanks I see the info in page 52 of Doc. So How can we get script working when user is not in office based on the AD group. I see page 336 of PA5.0 Admin guide about Pre-logon details.(including drive mapping) what setting are missing in my configuration (add pre-logon as user in security policy and authentication profile ?) Have you get script working in either lab or production ?

I understand that you want to map different drives to different groups, yes?

What method do you use to mount drives - logon scripts or Group Policy? Have you tried both?

Have you enabled Single Sign On in GlobalProtect configuration?

Can you post your GlobalProtect configuration (xml format)?

Personally I have not implemented pre-logon anywhere yet, but I will.

logon scripts or Group Policy?----logon script via AD (not using GP)

SSO is enabled.  There is bug in 5.0.3 we revert back to 4.x. so not able to provide xml. but I need to know if anyone had it successful deployed. I can provide you case # if you have access to support portal

I have successfully deployed GP and run logging scripts automatically post login. There is few issues though....

1st issue - We ran into a major bug in PAN OS 5.0 - 5.2 that resulted in internet connection drop outs. We had to revert back to 4.1.8. GP was not the cause of the bugs.

2nd issue - We've not upgraded to PAN OS 5.x yet - waiting until 5.0.8 or later....

You need to make sure you install the correct certificate and the certificate is located in both stores on the local pc.

You need to make sure you GP configuration is correct, As I don't have PAN OS 5 I can't post pictures -  however if you can, I can advise what is correct or missing

You can check the VPN connection details view (Under VPN settings where you can view VPN session info) You boot your laptop and watch for the certificate authenticating on this view - before you press ctrl al del - this will tell you if your certificate configuration is good. If you authenticate pre logon then the problem is with GP VPN configuiraiton on PAN device.

You need to make sure the certificate for pre-logon has pre-logon as its ID if the client certificate is not name pre-login then you will have trouble...

That's all for now  - the trick is to get certificate authentication before you press crtl alt del - you can check in the VPN session view in GP VPN configuration - if you certificate authenticates then running the login script will follow automatically when you log in.

It does work, I know it does.

Hope this helps

Rod

Thank you Rod. Glad to know that script is working on your network

1.   1st issue-- Are you using PA as corp firewall or just Vwire. we got two bugs after upgrading to 5.0.3 with network, we rolled back to 4.1.7h2. Currently waiting for last one bug fix

2.   2nd issue-- I had some screen shots of setting (not all) Basically we followed https://live.paloaltonetworks.com/docs/DOC-2020. Cert is on tested laptop and we did see pre-logon in admin webgui before alt,del and ctrl keys are pressed. We unchecked Ipsec and use SSL only.  but we did not put pre-logon (we use any)  in source user client configuration on page 50 of DOC-2020

Question:  Do you leave blank on LDAP configuration under Domain section ?

                Is VPN connection detail on GP client or on Admin GUI ?

I am also waiting for bug fix ( we have already been hit by lots of bugs). So we have 85% CPU on Dataplane not sure what your DP usage during peak hours. Will do the GP test on the new firmware

Thank you

Daniel

  • 13362 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!