"You are not authorized to connect to GlobalProtect Portal"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"You are not authorized to connect to GlobalProtect Portal"

L3 Networker

Hello Everyone,

 

I had global-protect working perfectly.  Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore.  I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!

 

I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message!  I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!

 

Any help you can provide would be much appreciated!  Thanks!!

1 accepted solution

Accepted Solutions

Hi @RSteffens 

According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.

View solution in original post

18 REPLIES 18

L3 Networker

PS: I've double checked against two other PA guides: 

https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-initial-set-up/ta-p/322232

and

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH2CAK

All my settings are correct, exactly as outlined in these documents.   What else should I check?

Hi @RSteffens 

Are you the only one who configures thisbfirewall or did maybe another admin change something? Is there something in the config log?

Specifically related the not autorizes message: is there a specific group or user configured in the auth profile or in the global protect agen configuration?

Hi!  No I'm the only admin.  It's got to be something I changed somewhere, or else an update that nuked things.  Yes, the authorize message is linked to the only user account who has GP access for offsite management, we have no other GP users. 

L3 Networker

So I deleted the settings, GP portal, etc and completely rebuilt the GP infrastructure from the ground up.  But now I'm getting these errors when I commit:

  • GlobalProtect portal(.......)setting is invalid: auth-profile exist(method none), client-cert-profile none no username. (Module: sslvpn)
  • GlobalProtect gateway(.......) setting is invalid: auth-profile exist(method none), client-cert-profile none no username.(Module: rasmgr)

Anyone know what the problem is?

 

Randy

So you doublechecked that this one user is configured in the authentication profile (or then set to all users) and the same in the global protect portal agent configuration?

Do you want to use an authentication profile for your local user or certificates for the vpn connection? Or both?

L3 Networker

Hi Everyone - I am wanting to use auth profile AND client certificates (with cert profile).  I figured out that if I re-issue the client cert with a CN that is the same as the name of my user who wants to log in, and change the cert profile username to Subject (instead of none), everything works and I don't get the error above!  I'm able to get in that way.

 

Only thing is, I'm never prompted to enter the user's password.  I'd still like to be prompted for the actual user password as well in order for them to log in.  Do you know if this is possible, when authenticating with an auth profile + client cert profile as I've outlined above?

 

Do you think GP authentication using a auth profile + client cert profile as implemented above, is a secure enough way to manage the PA remotely? 

 

Thanks!

 

Hi @RSteffens 

Did you set the option "Allow Authentication with User Credentials OR Client Certificate" to no in the portal and gateway authentication tab?

L3 Networker

Yes!  It's set to "no" in both portal and gateway.  I am authenticated with that setup, but without ever entering the password of the user.  But I want to enter the user password as part of authentication. 

I understand. Sorry if some questions sound a little dumb, but I just want to make sure that there is nothing missed right at the beginning while you maybe troubleshoot somewhere else.

Would it be possible that you share screenshots of the authentication profile and global protect portal/gateway configuration?

L3 Networker

No worries!  Thank you for your help.  Attached are photos. 

Hi @RSteffens 

According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.

ok perhaps go back a step as got myself a bit confused here...

these errors...

 

  • GlobalProtect portal(.......)setting is invalid: auth-profile exist(method none), client-cert-profile none no username. (Module: sslvpn)
  • GlobalProtect gateway(.......) setting is invalid: auth-profile exist(method none), client-cert-profile none no username.(Module: rasmgr)

this is probably because you were missing or failed to add an auth profile, thats why when you set the cert profile to subject it started working, albeit without username and password...   

 

so i would delete the auth profile and create a new one with your local user database and leave the advanced tab to "all" for now....

add a new portal with the new auth profile included and the certificate profile set to  "None" in the username field...

 

start from there and we can do some diags when it fails on "not authorized" 

L3 Networker

That was it!   Totally obvious - "type" needed to be set to local database.  I have no idea how I overlooked that! Thank you so much!

 

One other question while I'm at it.  Under the global protect portal agent configs (first screenshot above), is it important to check "install in local root certificate store" for the "Trusted Root CA's"?  I have already installed those (PA generated, self signed) root CA's manually on the computer I'll be using for remote access, and I'm the only GP user, and using GP on only one single device.   

 

Thanks!

  • 1 accepted solution
  • 17408 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!