I'm pre-staging a couple of PA2020's (active/passive), and am having an issue with getting authentication via AD working for Global Protect through Active Directory.
As far as I can tell, the LDAP configuration is correct - the firewall connects to the agent, and gets a list of users from the groups I have configured to be allowed - but every time I try to login to the portal, it fails, and I get the following log entries
GlobalProtect portal user authentication failed. Login from: XXX.XXX.XXX.XXX, User name: domain\first.last, Reason: Authentication failed: Invalid username or password .
User 'domain\first.last' failed authentication. Reason: Invalid username/password From: XXX.XXX.XXX.XXX.
(I've sanitized the actual details, obviously).
I *know* the user is in the AD group which is in the allowed list - a CLI query shows the following output
admin@Gate(active)> show user group name domain\vpn-users
group short name: domain\vpn-users
[11 ] domain\first.last
Can anyone suggest where I might be going wrong? I've tried every possible combination/form of username, and I know I'm using the correct password - is there any way from the CLI to try and verify what is going wrong?
Yeah, I got it right eventually.
It was a rather contorted process, and the documentation I found is somewhat dated and doesn't apply properly to current versions, but with some help from people here I got it working.
It came down to two configuration options I had wrong
In the LDAP server profile, you need to make sure you have your domain in the "Domain" section of the configuration - the documentation indicated I could leave that blank, but this is *not* the case.
In the Authentication profile group list, you need to enter your group in domain\group format, not in DN string format (which the firewall defaults to) - so instead of cn=<group>,dc=<domain>,dc=<suffix> format you need to put domain\group - you will likely need to manually enter this in the correct format.
There's a whole bunch of CLI troubleshooting you can do - if you can't get it working, do a search on discussions started by me with the title "LDAP Authentication not matching user groups", and you should find more hints.
If you believe the configuration is correct. From the CLI you can verify the whole authentication process from the logs. While you are trying to connect via gp and doing authentication, please open a cli session run the below command and look for the information in this log.
"tail follow yes mp-log authd.log"
You can actually look the firewall sending the authentication requests to LDAP server for the gp users and LDAP server replying back with the results.
OK, I did that, and got the following output.
Sep 21 13:37:48 pan_authd_service_req(pan_authd.c:2604): Authd:Trying to remote authenticate user: domain\darren.gibbs
Sep 21 13:37:48 pan_authd_service_auth_req(pan_authd.c:1115): AUTH Request <'vsys1','VPNUsers','domain\darren.gibbs'>
Sep 21 13:37:48 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3527): failed to fetch: NO_MATCHES
Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1511): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs
Sep 21 13:37:48 pan_authd_authenticate_service(pan_authd.c:663): authentication failed (6)
Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1531): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:v:p:n:users_0,username domain\darren.gibbs failed - trying other hosts
Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP server due to missing Auth-Profile: pan_ldap_vsys1_:v:p:n:users_1
Sep 21 13:37:48 pan_authd_common_authenticate(pan_authd.c:1506): Skipping LDAP
Now, the errors tell me there's obviously something wrong - but I can't figure out what. I'm sure it's something simple, but I'm stuffed if I know what.
Any ideas will be tried.
I just had a thought.
What path are these authentication requests passed through? The management interface, or the actual dataplane interface? I have the management interface connected and able to talk to the domain controller, but the dataplane interfaces are only connected to dummy ports on a stand-alone switch (to bring them up), they're not actually connected to the live network.
Could this be causing the problem, or would the authentication be handled over the management interface?
The authentication requests to domain controller are passed through the mgmt interface. Just curious, you said you have the data plane interfaces connected to dummy interfaces ? then how are the gp clients connecting to the firewall ?
From the previous logs I see that the actual user information is being sent to the LDAP server and it seems like the server is not able to match the user info.
There are no "clients" - there is one "client" - me. 🙂 I've plugged my laptop direct into the "outside" interface and assigned it my Internet router's IP address, so it's "pretending" to be the Internet.
The source packet is coming from an external address, so the firewall just sees the client as another outside IP.
I don't know how the server is not matching the username - I can list the users in the group from the CLI, and the username I'm entering is in the group.
Is there some way to debug the agent on the server which might shed some light?
Message was edited by: Darren Gibbs
We can try these things and see if it helps
1) One the LDAP server you can go to security events of the server and look out for the login auth tickets and see if the server is actually getting the LDAP queries from the firewall, if so the reason for the denial of the user.
In the below document you can the actual event IDs for logon/log off events on the windows server.
2) We can try removing the LDAP filter for users in the authentication profile and allow all users temporarily and authenticate see if that works.
Well, I know the LDAP server is working because if I add individual users into the "allow" list one at a time, they authenticate properly.
It just won't enumerate the group members.
I can work around it, but I'd really like to know WHY I can't use an AD group membership for authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!