05-31-2021 10:08 AM
Hello Everyone,
I had global-protect working perfectly. Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore. I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!
I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message! I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!
Any help you can provide would be much appreciated! Thanks!!
06-01-2021 07:16 PM
Hi @pomologist
According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.
05-31-2021 10:25 AM
PS: I've double checked against two other PA guides:
https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232
and
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK
All my settings are correct, exactly as outlined in these documents. What else should I check?
05-31-2021 12:25 PM
Hi @pomologist
Are you the only one who configures thisbfirewall or did maybe another admin change something? Is there something in the config log?
Specifically related the not autorizes message: is there a specific group or user configured in the auth profile or in the global protect agen configuration?
05-31-2021 02:11 PM
Hi! No I'm the only admin. It's got to be something I changed somewhere, or else an update that nuked things. Yes, the authorize message is linked to the only user account who has GP access for offsite management, we have no other GP users.
05-31-2021 02:41 PM
So I deleted the settings, GP portal, etc and completely rebuilt the GP infrastructure from the ground up. But now I'm getting these errors when I commit:
Anyone know what the problem is?
Randy
05-31-2021 02:42 PM
So you doublechecked that this one user is configured in the authentication profile (or then set to all users) and the same in the global protect portal agent configuration?
05-31-2021 02:43 PM
Do you want to use an authentication profile for your local user or certificates for the vpn connection? Or both?
06-01-2021 10:57 AM
Hi Everyone - I am wanting to use auth profile AND client certificates (with cert profile). I figured out that if I re-issue the client cert with a CN that is the same as the name of my user who wants to log in, and change the cert profile username to Subject (instead of none), everything works and I don't get the error above! I'm able to get in that way.
Only thing is, I'm never prompted to enter the user's password. I'd still like to be prompted for the actual user password as well in order for them to log in. Do you know if this is possible, when authenticating with an auth profile + client cert profile as I've outlined above?
Do you think GP authentication using a auth profile + client cert profile as implemented above, is a secure enough way to manage the PA remotely?
Thanks!
06-01-2021 04:16 PM
Hi @pomologist
Did you set the option "Allow Authentication with User Credentials OR Client Certificate" to no in the portal and gateway authentication tab?
06-01-2021 04:21 PM - edited 06-01-2021 04:22 PM
Yes! It's set to "no" in both portal and gateway. I am authenticated with that setup, but without ever entering the password of the user. But I want to enter the user password as part of authentication.
06-01-2021 04:25 PM
I understand. Sorry if some questions sound a little dumb, but I just want to make sure that there is nothing missed right at the beginning while you maybe troubleshoot somewhere else.
Would it be possible that you share screenshots of the authentication profile and global protect portal/gateway configuration?
06-01-2021 05:04 PM - edited 06-08-2021 02:32 PM
No worries! Thank you for your help. Attached are photos.
06-01-2021 07:16 PM
Hi @pomologist
According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.
06-02-2021 02:40 AM
ok perhaps go back a step as got myself a bit confused here...
these errors...
this is probably because you were missing or failed to add an auth profile, thats why when you set the cert profile to subject it started working, albeit without username and password...
so i would delete the auth profile and create a new one with your local user database and leave the advanced tab to "all" for now....
add a new portal with the new auth profile included and the certificate profile set to "None" in the username field...
start from there and we can do some diags when it fails on "not authorized"
06-02-2021 04:23 AM
That was it! Totally obvious - "type" needed to be set to local database. I have no idea how I overlooked that! Thank you so much!
One other question while I'm at it. Under the global protect portal agent configs (first screenshot above), is it important to check "install in local root certificate store" for the "Trusted Root CA's"? I have already installed those (PA generated, self signed) root CA's manually on the computer I'll be using for remote access, and I'm the only GP user, and using GP on only one single device.
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
