I had global-protect working perfectly. Two days ago however something happened (not sure what caused the problem) and I'm unable to connect to GP anymore. I always get the error: "You are not authorized to connect to GlobalProtect Portal". The weird thing is that in the system logs there are no error messages relating to GP, I actually get an "auth-sucess" event for every attempted login where i'm presented with "You are not authorized to connect to GlobalProtect Portal"!
I'm using a local user, followed the same instructions I used to get it working the first time, (here: https://blog.fuelusergroup.org/how-to-set-up-globalprotect-on-a-palo-alto-firewall-2) and to the best of my recollection I haven't changed anything relating to GP functionality, but nothing gets me beyond that error message! I'm pulling my hair out because it was not hard to get this working the first time, and why I should be getting this error now is incredibly confusing!
Any help you can provide would be much appreciated! Thanks!!
According to these screenshots I assume the problem is your authenticarion profile. There is a dropdown field for "Type" where you need to choose local database to tell the firewall the source of your users. After changing that, global protect should ask you for username and password. This should work also without specifying a username attribute in the certificate profile.
PS: I've double checked against two other PA guides:
All my settings are correct, exactly as outlined in these documents. What else should I check?
Are you the only one who configures thisbfirewall or did maybe another admin change something? Is there something in the config log?
Specifically related the not autorizes message: is there a specific group or user configured in the auth profile or in the global protect agen configuration?
So I deleted the settings, GP portal, etc and completely rebuilt the GP infrastructure from the ground up. But now I'm getting these errors when I commit:
Anyone know what the problem is?
Hi Everyone - I am wanting to use auth profile AND client certificates (with cert profile). I figured out that if I re-issue the client cert with a CN that is the same as the name of my user who wants to log in, and change the cert profile username to Subject (instead of none), everything works and I don't get the error above! I'm able to get in that way.
Only thing is, I'm never prompted to enter the user's password. I'd still like to be prompted for the actual user password as well in order for them to log in. Do you know if this is possible, when authenticating with an auth profile + client cert profile as I've outlined above?
Do you think GP authentication using a auth profile + client cert profile as implemented above, is a secure enough way to manage the PA remotely?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!