About darren_g

Where do I do that? As far as I know, it is, but I followed a rather old document based on V3 PA software in setting this up, so I could have done something wrong somewhere. ... View more

In my previous (now deleted) reply, I've spoken too soon. when I hit the web portal (where you can download the GlobalProtect client from), it authenticates, and appears to work fine. When I actually use the GlobalProtect *client*, the authentication fails. This is what happens when I hit the web portal Nov 21 14:22:34 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:v:p:n:users_0 Nov 21 14:22:34 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn CN=Administrator,CN=Users,DC=domain,DC=corp Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=domain,DC=corp' for (sAMAccountName=darren.gibbs) (userAccountControl) Nov 21 14:22:34 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=Darren Gibbs,OU=T,OU=BO,OU=AU,DC=domain,DC=corp Nov 21 14:22:34 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 66048 Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 66048 Nov 21 14:22:34 pan_get_ad_passwd_expiry(pan_authd_passwd.c:689): Password doesn't expire for username darren.gibbs Nov 21 14:22:34 authentication succeeded for user <vsys1,VPNUsers,domain\darren.gibbs> Nov 21 14:22:34 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: domain\darren.gibbs authresult auth'ed Nov 21 14:22:34 Request received to unlock vsys1/VPNUsers/domain\darren.gibbs Nov 21 14:22:34 User 'aicorp\darren.gibbs' authenticated.   From: xxx.www.yyy.zzz. However, when I use the GlobalProtect CLIENT, this is what I get Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3659): localprofile sync triggered via sysd Nov 21 14:23:42 authd_sysd_localprofile_callback(pan_authd.c:3679): get local info for vsys1/VPNUsers Nov 21 14:24:57 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs Nov 21 14:24:57 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'> Nov 21 14:24:57 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES Nov 21 14:24:57 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed Nov 21 14:24:57 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False. Nov 21 14:24:57 User 'darren.gibbs' failed authentication.  Reason: User is not in allowlist From: xxx.www.yyy.zzz So what gives? Why does it work with one authentication (via the web portal), and not with the actual VPN client?? Anyone? ... View more

Kevin. No good. Same result. Authentication failed. Darren ... View more

Currently, it's configured as a DN string. I will change to "domain\groupname" format and see how it goes. Thanks ... View more

Dominic Burns wrote: Also make sure the login name has nothing appended to it and matched the username in the group. From CLI:                         show user group name "nameofgroup" >> Make sure the name is listed there tail follow yes mp-log authd.log Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing. Dominic The first command definitely shows all users in the group concerned. [abbreviated and offuscated list] darren@Gate(active)> show user group name domain\vpn-users group short name: domain\vpn-users [...] [15    ] domain\darren.gibbs [...] So, you can see I am in the group, and the firewall recognises I am in the group. Doing the second (I removed myself from the individual allow-list configuration and relied on the AD group membership) got me this Nov 21 13:16:15 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs Nov 21 13:16:15 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'> Nov 21 13:16:15 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES Nov 21 13:16:15 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False. Nov 21 13:16:15 User 'darren.gibbs' failed authentication.  Reason: User is not in allowlist From: 110.142.210.164. Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode Nov 21 13:16:15 pan_authd_generate_system_log(pan_authd.c:897): CC Enabled=False Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode Any further suggestions welcomed. ... View more

4.1.9 now - was 4.1.7 at the time I posted the question ... View more

I have just got off the phone doing that. Thanks for the input. ... View more

You can sync is by using the HA widget from the GUI interface too - which I do - and it works fine. I'll log a case and see how I go. thanks. ... View more

Oh My. I managed to get her to run an "ipconfig". Her local segment is configured thusly IP : 10.1.1.4 Router : 10.1.1.1 Mask : 255.0.0.0 Yup, she's got her local router configured to allocate a whole class "A" subnet! Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing. Thanks for confirming what I thought was the problem. ... View more

Thanks. That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! 🙂 I'll update once (if) I get a result. ... View more

Yeah, it's worked now, thanks. ... View more