User authentication - Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User authentication - Global Protect

L4 Transporter

HI.

I'm pre-staging a couple of PA2020's (active/passive), and am having an issue with getting authentication via AD working for Global Protect through Active Directory.

As far as I can tell, the LDAP configuration is correct - the firewall connects to the agent, and gets a list of users from the groups I have configured to be allowed - but every time I try to login to the portal, it fails, and I get the following log entries

GlobalProtect portal user authentication failed. Login from: XXX.XXX.XXX.XXX, User name: domain\first.last, Reason: Authentication failed: Invalid username or password .

09/21 12:05:38

User 'domain\first.last' failed authentication. Reason: Invalid username/password From: XXX.XXX.XXX.XXX.

09/21 12:05:38

(I've sanitized the actual details, obviously).

I *know* the user is in the AD group which is in the allowed list - a CLI query shows the following output

admin@Gate(active)> show user group name domain\vpn-users

group short name: domain\vpn-users

[11     ] domain\first.last

Can anyone suggest where I might be going wrong? I've tried every possible combination/form of username, and I know I'm using the correct password - is there any way from the CLI to try and verify what is going wrong?

Thanks.

1 accepted solution

Accepted Solutions

Yeah, I got it right eventually.

It was a rather contorted process, and the documentation I found is somewhat dated and doesn't apply properly to current versions, but with some help from people here I got it working.

It came down to two configuration options I had wrong

In the LDAP server profile, you need to make sure you have your domain in the "Domain" section of the configuration - the documentation indicated I could leave that blank, but this is *not* the case.

In the Authentication profile group list, you need to enter your group in domain\group format, not in DN string format (which the firewall defaults to) - so instead of cn=<group>,dc=<domain>,dc=<suffix> format you need to put domain\group - you will likely need to manually enter this in the correct format.

There's a whole bunch of CLI troubleshooting you can do - if you can't get it working, do a search on discussions started by me with the title "LDAP Authentication not matching user groups", and you should find more hints.

Cheers.

View solution in original post

12 REPLIES 12

L6 Presenter

Did you actually create an authentication profile and use this in the gp configuration ? I believe your authentication profile settings might not be correct. You can create an authentication profile as shown for the users like in the below pic and can use the same in the gp  config.

dddCapture.PNG

Yes, I have created an Authentication Profile. Picture shown below

auth_profile.jpg

I couldn't commit the GP setup until I had it.

The GP is setup as follows

Gateway Config

gateway-config.jpg

Portal config

portal_config.jpg

I'm open to other suggestions.

Cheers

If you believe the configuration is correct. From the CLI you can verify the whole authentication process from the logs. While you are trying to connect via gp and doing authentication, please open a cli session run the below command and look for the information in this log.

"tail follow yes mp-log authd.log"

You can actually look the firewall sending the authentication requests to LDAP server for the gp users and LDAP server replying back with the results.

OK, I did that, and got the following output.

Sep 21 13:37:48 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: domain\darren.gibbs

Sep 21 13:37:48 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'vsys1','VPNUsers','domain\darren.gibbs'>

Sep 21 13:37:48 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs

Sep 21 13:37:48 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs failed - trying other hosts

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:v:p:n:users_1

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP

Now, the errors tell me there's obviously something wrong - but I can't figure out what. I'm sure it's something simple, but I'm stuffed if I know what.

Any ideas will be tried.

Thanks!

I just had a thought.

What path are these authentication requests passed through? The management interface, or the actual dataplane interface? I have the management interface connected and able to talk to the domain controller, but the dataplane interfaces are only connected to dummy ports on a stand-alone switch (to bring them up), they're not actually connected to the live network.

Could this be causing the problem, or would the authentication be handled over the management interface?

The authentication requests to domain controller are passed through the mgmt interface. Just curious, you said you have the data plane interfaces connected to dummy interfaces  ? then how are the gp clients connecting to the firewall ? Smiley Happy

From the previous logs I see that the actual user information is being sent to the LDAP server and it seems like the server is not able to match the user info.

There are no "clients" - there is one "client" - me. 🙂 I've plugged my laptop direct into the "outside" interface and assigned it my Internet router's IP address, so it's "pretending" to be the Internet.

The source packet is coming from an external address, so the firewall just sees the client as another outside IP.

I don't know how the server is not matching the username - I can list the users in the group from the CLI, and the username I'm entering is in the group.

Is there some way to debug the agent on the server which might shed some light?

Message was edited by: Darren Gibbs

We can try these things and see if it helps

1) One the LDAP server you can go to security events of the server and look out for the login auth tickets and see if the server is actually getting the LDAP queries from the firewall, if so the reason for the denial of the user.

In the below document you can the actual event IDs for logon/log off events on the windows server.

https://live.paloaltonetworks.com/docs/DOC-1262

2) We can try removing the LDAP filter for users in the authentication profile and allow all users temporarily and authenticate see if that works.

Well, I know the LDAP server is working because if I add individual users into the "allow" list one at a time, they authenticate properly.

It just won't enumerate the group members.

I can work around it, but I'd really like to know WHY I can't use an AD group membership for authentication.

We have a comparable issue.

What I see is that when i login to global protect using a domain user domain\user and then look at the traffic logs I only see user

When I use rules from the globalprotect zone to the network using domain\group names they do not work. If i add user they work. In other zones adding user does not work because I have to add domain\user.

Did you ever get this sorted out ?

Yeah, I got it right eventually.

It was a rather contorted process, and the documentation I found is somewhat dated and doesn't apply properly to current versions, but with some help from people here I got it working.

It came down to two configuration options I had wrong

In the LDAP server profile, you need to make sure you have your domain in the "Domain" section of the configuration - the documentation indicated I could leave that blank, but this is *not* the case.

In the Authentication profile group list, you need to enter your group in domain\group format, not in DN string format (which the firewall defaults to) - so instead of cn=<group>,dc=<domain>,dc=<suffix> format you need to put domain\group - you will likely need to manually enter this in the correct format.

There's a whole bunch of CLI troubleshooting you can do - if you can't get it working, do a search on discussions started by me with the title "LDAP Authentication not matching user groups", and you should find more hints.

Cheers.

L2 Linker

I'm also facing same issue. When I have call specific user group in authentication profile and after that called in global protect portal and gateway but at time of login in gp then showing invalid user name and password showing logs login failed,But If i called all user in authentication profile then login successful showing. 

I have use user id tefreash group mapping all command then check users in group showing my 45 users in group. 

Please suggest me solution

  • 1 accepted solution
  • 20486 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!