User authentication - Global Protect

darren_g · ‎09-20-2012

HI.

I'm pre-staging a couple of PA2020's (active/passive), and am having an issue with getting authentication via AD working for Global Protect through Active Directory.

As far as I can tell, the LDAP configuration is correct - the firewall connects to the agent, and gets a list of users from the groups I have configured to be allowed - but every time I try to login to the portal, it fails, and I get the following log entries

GlobalProtect portal user authentication failed. Login from: XXX.XXX.XXX.XXX, User name: domain\first.last, Reason: Authentication failed: Invalid username or password .

09/21 12:05:38

User 'domain\first.last' failed authentication. Reason: Invalid username/password From: XXX.XXX.XXX.XXX.

09/21 12:05:38

(I've sanitized the actual details, obviously).

I *know* the user is in the AD group which is in the allowed list - a CLI query shows the following output

admin@Gate(active)> show user group name domain\vpn-users

group short name: domain\vpn-users

[11 ] domain\first.last

Can anyone suggest where I might be going wrong? I've tried every possible combination/form of username, and I know I'm using the correct password - is there any way from the CLI to try and verify what is going wrong?

Thanks.

darren_g · ‎01-23-2013

Yeah, I got it right eventually.

It was a rather contorted process, and the documentation I found is somewhat dated and doesn't apply properly to current versions, but with some help from people here I got it working.

It came down to two configuration options I had wrong

In the LDAP server profile, you need to make sure you have your domain in the "Domain" section of the configuration - the documentation indicated I could leave that blank, but this is *not* the case.

In the Authentication profile group list, you need to enter your group in domain\group format, not in DN string format (which the firewall defaults to) - so instead of cn=<group>,dc=<domain>,dc=<suffix> format you need to put domain\group - you will likely need to manually enter this in the correct format.

There's a whole bunch of CLI troubleshooting you can do - if you can't get it working, do a search on discussions started by me with the title "LDAP Authentication not matching user groups", and you should find more hints.

Cheers.

View solution in original post

sdurga · ‎09-20-2012

Did you actually create an authentication profile and use this in the gp configuration ? I believe your authentication profile settings might not be correct. You can create an authentication profile as shown for the users like in the below pic and can use the same in the gp config.

darren_g · ‎09-20-2012

Yes, I have created an Authentication Profile. Picture shown below

I couldn't commit the GP setup until I had it.

The GP is setup as follows

Gateway Config

Portal config

I'm open to other suggestions.

Cheers

sdurga · ‎09-20-2012

If you believe the configuration is correct. From the CLI you can verify the whole authentication process from the logs. While you are trying to connect via gp and doing authentication, please open a cli session run the below command and look for the information in this log.

"tail follow yes mp-log authd.log"

You can actually look the firewall sending the authentication requests to LDAP server for the gp users and LDAP server replying back with the results.

darren_g · ‎09-20-2012

OK, I did that, and got the following output.

Sep 21 13:37:48 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: domain\darren.gibbs

Sep 21 13:37:48 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'vsys1','VPNUsers','domain\darren.gibbs'>

Sep 21 13:37:48 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs

Sep 21 13:37:48 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs failed - trying other hosts

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:v:p:n:users_1

Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP

Now, the errors tell me there's obviously something wrong - but I can't figure out what. I'm sure it's something simple, but I'm stuffed if I know what.

Any ideas will be tried.

Thanks!

darren_g · ‎09-20-2012

I just had a thought.

What path are these authentication requests passed through? The management interface, or the actual dataplane interface? I have the management interface connected and able to talk to the domain controller, but the dataplane interfaces are only connected to dummy ports on a stand-alone switch (to bring them up), they're not actually connected to the live network.

Could this be causing the problem, or would the authentication be handled over the management interface?

sdurga · ‎09-20-2012

The authentication requests to domain controller are passed through the mgmt interface. Just curious, you said you have the data plane interfaces connected to dummy interfaces ? then how are the gp clients connecting to the firewall ?

From the previous logs I see that the actual user information is being sent to the LDAP server and it seems like the server is not able to match the user info.

darren_g · ‎09-20-2012

There are no "clients" - there is one "client" - me. 🙂 I've plugged my laptop direct into the "outside" interface and assigned it my Internet router's IP address, so it's "pretending" to be the Internet.

The source packet is coming from an external address, so the firewall just sees the client as another outside IP.

I don't know how the server is not matching the username - I can list the users in the group from the CLI, and the username I'm entering is in the group.

Is there some way to debug the agent on the server which might shed some light?

Message was edited by: Darren Gibbs

sdurga · ‎09-21-2012

We can try these things and see if it helps

1) One the LDAP server you can go to security events of the server and look out for the login auth tickets and see if the server is actually getting the LDAP queries from the firewall, if so the reason for the denial of the user.

In the below document you can the actual event IDs for logon/log off events on the windows server.

https://live.paloaltonetworks.com/docs/DOC-1262

2) We can try removing the LDAP filter for users in the authentication profile and allow all users temporarily and authenticate see if that works.

darren_g · ‎09-23-2012

Well, I know the LDAP server is working because if I add individual users into the "allow" list one at a time, they authenticate properly.

It just won't enumerate the group members.

I can work around it, but I'd really like to know WHY I can't use an AD group membership for authentication.

seniornwb · ‎01-23-2013

We have a comparable issue.

What I see is that when i login to global protect using a domain user domain\user and then look at the traffic logs I only see user

When I use rules from the globalprotect zone to the network using domain\group names they do not work. If i add user they work. In other zones adding user does not work because I have to add domain\user.

Did you ever get this sorted out ?

darren_g · ‎01-23-2013

Yeah, I got it right eventually.

It was a rather contorted process, and the documentation I found is somewhat dated and doesn't apply properly to current versions, but with some help from people here I got it working.

It came down to two configuration options I had wrong

In the LDAP server profile, you need to make sure you have your domain in the "Domain" section of the configuration - the documentation indicated I could leave that blank, but this is *not* the case.

In the Authentication profile group list, you need to enter your group in domain\group format, not in DN string format (which the firewall defaults to) - so instead of cn=<group>,dc=<domain>,dc=<suffix> format you need to put domain\group - you will likely need to manually enter this in the correct format.

There's a whole bunch of CLI troubleshooting you can do - if you can't get it working, do a search on discussions started by me with the title "LDAP Authentication not matching user groups", and you should find more hints.

Cheers.

SurajN · ‎08-25-2021

I'm also facing same issue. When I have call specific user group in authentication profile and after that called in global protect portal and gateway but at time of login in gp then showing invalid user name and password showing logs login failed,But If i called all user in authentication profile then login successful showing.

I have use user id tefreash group mapping all command then check users in group showing my 45 users in group.

Please suggest me solution

Unlock your full community experience!

User authentication - Global Protect

User authentication - Global Protect

Show your appreciation!