Can't connect user group is fine but Agent Policy does not match

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can't connect user group is fine but Agent Policy does not match

Hello, I'm running out of ideas to tshoot a GP connection problem. I have a user that is in an AD group uservpn (checked on the cli and it's fine). Added this group to Portal and GW configuration and I can't connect. If I live any for the config under user/user group for portal and Gateway it works. I see the user has this group on the CLI but somehow the firewall can't make the association on the login

 

{"level":"info","time":"2023-12-05T12:25:17.046726663+01:00","message":"loadGlobalRegionFile: global region file not changed, skip building the trie"}
{"level":"info","time":"2023-12-05T12:25:52.806664649+01:00","message":"ConfigPhase2: received config phase2"}
{"level":"info","time":"2023-12-05T12:25:52.806820918+01:00","message":"ConfigPhase2: phase2 done, switched to new config ts:1701775516, version:94 (MaxTaskCount:1000 MaxAuthReqCount:4096)"}
{"level":"error","task":"439-5","time":"2023-12-05T12:27:16.5756033+01:00","message":"GetPortalClientConfig: portal CHLC_Portal was found, but no client config for req &{X.X.X.X luis.arizaga  Windows 1ZP5FK3  false   false  false false}"}
{"level":"error","task":"439-5","time":"2023-12-05T12:27:16.57613947+01:00","message":"authLoop write: failed to send data to unixgram:@/tmp/authd.sock, error: write unixgram @/tmp/authd_client_GP_socket_1701775066.sock->@/tmp/authd.sock: write: connection refused"}
{"level":"error","time":"2023-12-05T12:27:16.576966802+01:00","message":"authLoop read: failed to receive data from auth, error: read unixgram @/tmp/authd_client_GP_socket_1701775066.sock->@/tmp/authd.sock: use of closed network connection"}
{"level":"error","time":"2023-12-05T12:27:17.577205202+01:00","message":"authLoop: connection to authd is broken, reconnecting"}
{"level":"info","time":"2023-12-05T12:27:17.577584189+01:00","message":"authLoop: connection to authd is established"}
{"level":"error","task":"439-5","time":"2023-12-05T12:27:17.628630724+01:00","message":"GetPortalClientConfig: portal CHLC_Portal was found, but no client config for req &{X.X.X.X luis.arizaga  Windows 1ZP5FK3  false   false  false false}"}
{"level":"error","task":"439-5","time":"2023-12-05T12:27:17.629557248+01:00","message":"gpGetconfig: Failed to get portal config"}

Does anyone have a suggestion about how to tshoot this?

Thanks for your time.

Regards,

Luis

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

does the username contained inside the group (show user group name <yourgrouphere>) match EXACTLY with the username the authentication profile is receiving?

of group mapping has you as domain\user and your auth profile receives user@domain , that is not a match

 

you can fix that by changing the username modifier in the authentication profile, or changing the group mapping user attribute

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

does the username contained inside the group (show user group name <yourgrouphere>) match EXACTLY with the username the authentication profile is receiving?

of group mapping has you as domain\user and your auth profile receives user@domain , that is not a match

 

you can fix that by changing the username modifier in the authentication profile, or changing the group mapping user attribute

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Indeed Reaper, I've solved this with the following steps, thanks!

I don't understand why it works but it does. Thanks.

 

  • 1 accepted solution
  • 598 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!