"You are not authorized to connect to GlobalProtect Portal"

cancel
Showing results for 
Search instead for 
Did you mean: 

"You are not authorized to connect to GlobalProtect Portal"

L2 Linker

Hello Everyone,

 

I had global-protect working perfectly.  Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore.  I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!

 

I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message!  I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!

 

Any help you can provide would be much appreciated!  Thanks!!

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @RSteffens 

According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.

View solution in original post

18 REPLIES 18

L2 Linker

PS: I've double checked against two other PA guides: 

https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232

and

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK

All my settings are correct, exactly as outlined in these documents.   What else should I check?

Hi @RSteffens 

Are you the only one who configures thisbfirewall or did maybe another admin change something? Is there something in the config log?

Specifically related the not autorizes message: is there a specific group or user configured in the auth profile or in the global protect agen configuration?

Hi!  No I'm the only admin.  It's got to be something I changed somewhere, or else an update that nuked things.  Yes, the authorize message is linked to the only user account who has GP access for offsite management, we have no other GP users. 

L2 Linker

So I deleted the settings, GP portal, etc and completely rebuilt the GP infrastructure from the ground up.  But now I'm getting these errors when I commit:

  • GlobalProtect portal(.......)setting is invalid: auth-profile exist(method none), client-cert-profile none no username. (Module: sslvpn)
  • GlobalProtect gateway(.......) setting is invalid: auth-profile exist(method none), client-cert-profile none no username.(Module: rasmgr)

Anyone know what the problem is?

 

Randy

So you doublechecked that this one user is configured in the authentication profile (or then set to all users) and the same in the global protect portal agent configuration?

Do you want to use an authentication profile for your local user or certificates for the vpn connection? Or both?

L2 Linker

Hi Everyone - I am wanting to use auth profile AND client certificates (with cert profile).  I figured out that if I re-issue the client cert with a CN that is the same as the name of my user who wants to log in, and change the cert profile username to Subject (instead of none), everything works and I don't get the error above!  I'm able to get in that way.

 

Only thing is, I'm never prompted to enter the user's password.  I'd still like to be prompted for the actual user password as well in order for them to log in.  Do you know if this is possible, when authenticating with an auth profile + client cert profile as I've outlined above?

 

Do you think GP authentication using a auth profile + client cert profile as implemented above, is a secure enough way to manage the PA remotely? 

 

Thanks!

 

Hi @RSteffens 

Did you set the option "Allow Authentication with User Credentials OR Client Certificate" to no in the portal and gateway authentication tab?

L2 Linker

Yes!  It's set to "no" in both portal and gateway.  I am authenticated with that setup, but without ever entering the password of the user.  But I want to enter the user password as part of authentication. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!