03-21-2023 05:02 AM - edited 03-21-2023 05:07 AM
I have a Pa-850 running 10.1.8 and globalprotect 5.2.6-87.
My issue appears whenever I try to assign different "Agent->Client settings" at the gateway level based on an AD group.
The portal is configured to authenticate against Azure AD using SAML. Later the gateway is also configured to authenticate against Azure SAML.
Our local PaloAlto partner suggested configuring the gateway to authenticate against our local LDAP. When I do so, global protect client fails to authenticate the user and a prompt is shown waiting for a user and password.
Any ideas or suggestions about what I might be doing wrong?
03-21-2023 08:31 AM
Hi @JoseCortijo ,
First let me clarify GP portal/gateway authentication and GP portal/gateway agent config are two different thinks. Speaking in correct terminology those are authentication and authorization:
- Azure AD over SAML will provide user authentication
- GP portal/gateway Agent -> client settings based on AD group could be considered as authorization - different GP config and IP range based on group membership.
Group membership checking is done by Group Mapping. Until PanOS 10.1, FW was supporting only LDAP queries for collecting groups and group membership from local AD. You can use LDAP for GP authentication and group mapping, but it is not required. You should be able to use SAML for authentication and LDAP for group mapping.
If you already use AzureAD I would suggest you to consider Learn About the Cloud Identity Engine (paloaltonetworks.com)
Running PanOS 10.1+ you can Cloud Identity Engine (CIE) for group mapping as well. Basically your set up would be:
1. Activate and create Cloud Identity Engine app
2. Connect CIE with your AzureAD
3. Configure your FW to use the CIE. This will allow FW to collect group mapping from CIE and will not require LDAP profile
4. Configure AzureAD for SAML authentication to GP portal and gateway
5. Configure GP agent client config based on AD groups from CIE
03-21-2023 09:56 AM
thanks a lot for the clarification and nice to know about CIE. Unfortunately I cannot move to CIE at the moment.
Our fw are running 10.1.8 so I should be able to authenticate with SAML and authorize with LDAP, but unfortunately, it does not work. Could you help me to troubleshoot what is failing? I went through global protect logs but found nothing that caught my attention.
In the fw side I don't know where I could find some debug information related to the issue.
Do you think it would be a good idea go up to 10.2 version? might it help with this issue?
03-21-2023 10:24 AM
Hi @JoseCortijo ,
It is not necessary to move to newer versions, SAML authentication + LDAP group mapping is supported and working solution for very long time and moving to 10.2 would bring benefit - in my personal opinion.
If you dig around the forum you could find that the most common problem is the username format that SAML provide when authenticating the user and creating user-ip-mapping and the username format provided by the group mapping.
I would expect that SAML is using userPrincipleName (UPN) format - you should be able to confirm this by:
- Checking your GP logs, what is the username from the logs?
- Checking your User-ID logs
- Under the definition for the Enterprise Application in AzureAD (Enterprise Applications -> <your-gp-saml-app> -> Single sign-on -> Attributes and & Claims
- Under the Authentication Profile, check what you are using for username attribute (should be username by default)
For the Group mapping you probably collect only sAMAccountName (SAM) as primary user attribute. You should be able to confirm by:
- Check your group mapping profile (Device -> User Identification -> Group Mapping -> <your-profile> -> User and Group Attributes
- Check under CLI how FW is listing group members
> show user group list | match <test-group>
> show user group name "<full-group-dn-from-above-command>"
As you can see in the Group Mapping profile you can define three alternative username attributes. This is because since several PanOS versions, FW is capable to use multiple user attributes and successfully map all to the same user. You can check all the attributes that FW is able to collect under CLI:
> show user user-attributes user <username>
In addition you may need to check if FW is able to collect All about User-ID domain map - Knowledge Base - Palo Alto Networks
It is important for the FW to be able to correctly map domain name in FQDN and NetBios format.
- What format are you seeing the username after SAML authentication?
- Do you see the same attribute already collected by Group Mapping (> show user user-attributes user )?
- Does FW correctly collect User-ID domain map?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!