- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-02-2012 07:17 AM
Hello,
I'm tring for a week now to configure Global Protect. And have only been partially successful.
My config is PanOS 4.1.1 and GP client 1.1.2 on PA 2050 Boxes. No GlobalProtect Licence.
I encountered 2 Problems which I can't solve.
1.
I have configured LDAP to get the credentials from our AD server and got this part of the authentication working.
I can login on the Global Protect page on the Palo Alto Box and can also connect using the GPclient. (well partially see point 2)
I now want to configure the PA to only allow users to connect which are in an AD group. I created a Group in AD and placed a user in this group (not an OU).
In "User Identification" I created an entry in "Group Mapping Settings", there I select the same LDAP "Server Profile" I also use in the "Authentication Profile" for Global Protect. In "Group Include List" I set the AD group I created int the AD. (here seems to be a Bug I can only navigate 2 branches in the LDAP tree, but I tricked by modifiing the Base DN of the LDAP profile until I could select the group and then setting the Base DN back to the original setting).
This seems to be correct because entering "show user group list" in the CLI shows the group with the LDAP path I selected to include in the Group mapping. Calling "show user group list" in the CLI shows the user I added in the AD group and also shows the group short name.
I am now unable to add this group in the allow list of the authentication profile. It only shows users and groups defined in the "Local User Database" If I enter the group name manually, authentication will fail.
In PA-4.1_Administrators_Guide.pdf I can read to click Edit Allow List.. I have no such button, just add and delete.
Adding an AD user manually to the list will only allow this user to log in as it should, I just can't get it working with the AD group.
2.
I have a lot of trouble with the Global Protect client, I installed the client on a Dell LAtitude 2110 Netbook with windows7 32bit and sometimes can connect but most of the times the client hangs in the status "Connecting please wait".
Under "Administrator" account the connection works everytime like it should. I completely disabled the Firewall and uninstalled antivirus but the connection is still just properly functional under administrator. (Tried installing as administrator, tried installing as user which has administrator rights, same result)
Here is where it fails: (IP masked)
(T864) 02/02/12 13:57:12:685 Debug(4497): CPanMSService::RetrieveGatewayInfo, cert is 00288D50
(T864) 02/02/12 13:57:12:685 Debug(4499): Pre-login...
(T864) 02/02/12 13:57:12:685 Debug( 142): active session id is 2
(T864) 02/02/12 13:57:12:685 Debug( 167): found process id 4616
(T864) 02/02/12 13:57:12:685 Debug(5060): PrepareRequest...
(T864) 02/02/12 13:57:12:685 Debug(5068): WinHttpOpenRequest...
(T864) 02/02/12 13:57:12:685 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T864) 02/02/12 13:57:43:011 Error(5083): PostRequest failed with error code 12002.
(T864) 02/02/12 13:57:43:011 Debug(4597): Failed to pre-login to the gateway ip.ip.ip.ip
(T864) 02/02/12 13:57:43:011 Error(4356): Failed to retrieve info for gateway ip.ip.ip.ip.
(T864) 02/02/12 13:57:43:011 Debug(4366): tunnel to ip.ip.ip.ip is not created.
Does the Old SSL client still work? I downloaded it from the support site but can not figure out how to install it on the PC, I guess it can only be uploaded to the PAlo Alto Firewall running an older PanOS which did not use Globalprotect yet?
By reading the discussion Groups I can see that I'm not the only one having a hard time.
02-09-2012 06:58 AM
Unfortunately GP is a reltatively new technolgy and many customers are having trouble with it. It took us about 8 months to get it working right in our environment.
Is the admin login that you can connect with on the local user database on the PA? or is it authenticated via LDAP and AD?
Are you running a user identification agent? I believe that GP requires one. This is one thing that is left out in the configuration guides. Also, in your Authentication Profile for your normal users set to "allow all" and retest. Also ensure that your LDAP is configured properly.
02-09-2012 07:05 AM
Looking at your log....you are having an authentication issue. The gateway is not allowing the credentials to be passed which leads me to believe that you pan agent is not configured properly or LDAP is wrong in the LDAP profile for your normal (non-admin) users.
02-09-2012 08:01 AM
Kamish, thank you for your help.
I'm running an user identification agent which is running fine. (seeing users in Policy logs)
Im using LDAP for global protect authentication as the user identification agent profile is not in the list of authentication methods.
(Our integrator helped me getting this working)
I think you missunderstood my Problem. Every user in the AD can log in via Plobal Protect Portal or client. It just doesn't work when I want to restrict the login to users in an AD group. I can work around this by adding the users individually in the allow list an not use the AD group.
The other problem is that the connection with the GP client does only work under the "Windows 7" administrator account on the netbook I use to test, if I launch the connection logged in as a user which has administrator rights on the Netbook the connection hangs like described. I have tested with my private laptop now which has no company AD profile, here the connection works, even if I'm not logged in as administrator. The problem here is definatly caused by problems between GP client and Windows7 OS, but I can't find the cause.
02-09-2012 08:16 AM
Roger. We use Win7 but a custom image. We haven't had any issues with the new client 1.1.2-9 and OS 4.1.2. Have been using GP since 1.0.1 and 3.1.1 and upgraded along the way. Granted it took about 8 months to get everything working right, but everntually everything clicked and works great now. I just wish that there was more support for GP via documentation. However, support was helpful along the way and my sales engineer is awesome!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!