Problem authenticating SSL VPN with eDirectory Users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem authenticating SSL VPN with eDirectory Users

Not applicable

Hi

I have set up a SSL VPN on a PA-500 with Pan OS 4.0.7.

The problem is that I cannot log in with certain eDirectory users. I have checked those users are in the same group as the ones that work; that group is the one allowed to log in.

I would appreciate any help on this.

Regards

Emilio M.

5 REPLIES 5

L5 Sessionator

What is the authentication error you get?

Run the command: 'tail follow yes mp-log authd.log' and authenticate to the VPN. This output will give you the reason as to why the authentication fails.

The output is

May 01 14:51:26 pan_authd_service_req(pan_authd.c:2454): Authd:Trying to remote authenticate user: PruebaVPN
May 01 14:51:26 pan_authd_service_auth_req(pan_authd.c:1098): AUTH Request <'vsys1','VPNSSL-Auth-Sequence','PruebaVPN'>
May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2146): VPNSSL-Auth-Sequence is an auth sequence
May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2206): Trying auth profile #1 COA-Local in auth seq
May 01 14:51:26 panauth:user <PruebaVPN,COA-Local,vsys1> is not allowed
May 01 14:51:26 pan_authd_handle_nonadmin_auths(pan_authd.c:2206): Trying auth profile #2 COA-eDir-VPN-SSL in auth seq
May 01 14:51:26 pan_authd_common_authenticate(pan_authd.c:1472): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:c:o:a-e:dir-:v:p:n-:s:s:l,username PruebaVPN
May 01 14:51:29 pan_authd_authenticate_service(pan_authd.c:648): authentication failed (6)
May 01 14:51:29 authentication failed for user <vsys1,COA-eDir-VPN-SSL,PruebaVPN>
May 01 14:51:29 pan_authd_process_authresult(pan_authd.c:1241): pan_authd_process_authresult: PruebaVPN authresult not auth'ed
May 01 14:51:29 Error: pan_authd_user_auth_failure_alarm_gen(pan_authd_localdb_utils.c:504): failed to prepare sql statement: select * from authseqdb where seqname=? and vsysname=?'
May 01 14:51:29 pan_authd_process_authresult(pan_authd.c:1264): Alarm generation set to: False.
May 01 14:51:29 User 'PruebaVPN' failed authentication.  Reason: Invalid username/password From: 88.18.211.151.
May 01 14:51:29 pan_get_system_cmd_output(pan_cfg_utils.c:3033): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
May 01 14:51:29 pan_authd_generate_system_log(pan_authd.c:827): CC Enabled=False
May 01 14:51:29 pan_get_system_cmd_output(pan_cfg_utils.c:3033): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

But I know the password for that user is correct and other users authenticate correctly

Any ideas?

Not applicable

It was an issue with user's password in Novell eDirectory. I finally debugged this with 'ndstrace' and 'ndslogin' in the eDirectory server.

Regards

Emilio M

Ingelan

Sevilla, Spain

Your log does indicate its an invalid username/pwd:

May 01 14:51:29 User 'PruebaVPN' failed authentication.  Reason: Invalid username/password From: 88.18.211.151.

After debugging the same problem with another user the problem dissapeared when I changed the user name (CN in this case). I changed one uppercase letter to lowercase... ¡and it worked!

I even changed the user name back to the original value and kept working.

I don't know the reason but changing the user name solves this problem.

Regards

Emilio

  • 2947 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!