About darren_g

Kevin. No good. Same result. Authentication failed. Darren ... View more

Currently, it's configured as a DN string. I will change to "domain\groupname" format and see how it goes. Thanks ... View more

Dominic Burns wrote: Also make sure the login name has nothing appended to it and matched the username in the group. From CLI:                         show user group name "nameofgroup" >> Make sure the name is listed there tail follow yes mp-log authd.log Then attempt to login and see if the username that is being received matches the same as the way it is displayed in the group listing. Dominic The first command definitely shows all users in the group concerned. [abbreviated and offuscated list] darren@Gate(active)> show user group name domain\vpn-users group short name: domain\vpn-users [...] [15    ] domain\darren.gibbs [...] So, you can see I am in the group, and the firewall recognises I am in the group. Doing the second (I removed myself from the individual allow-list configuration and relied on the AD group membership) got me this Nov 21 13:16:15 pan_authd_service_req(pan_authd.c:2683): Authd:Trying to remote authenticate user: darren.gibbs Nov 21 13:16:15 pan_authd_service_auth_req(pan_authd.c:1174): AUTH Request <'vsys1','VPNUsers','darren.gibbs'> Nov 21 13:16:15 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3606): failed to fetch: NO_MATCHES Nov 21 13:16:15 panauth:user <darren.gibbs,VPNUsers,vsys1> is not allowed Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1318): pan_authd_process_authresult: darren.gibbs authresult not auth'ed Nov 21 13:16:15 pan_authd_process_authresult(pan_authd.c:1342): Alarm generation set to: False. Nov 21 13:16:15 User 'darren.gibbs' failed authentication.  Reason: User is not in allowlist From: 110.142.210.164. Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode Nov 21 13:16:15 pan_authd_generate_system_log(pan_authd.c:897): CC Enabled=False Nov 21 13:16:15 pan_get_system_cmd_output(pan_cfg_utils.c:3056): executing: /usr/local/bin/sdb -n -r cfg.operational-mode Any further suggestions welcomed. ... View more

4.1.9 now - was 4.1.7 at the time I posted the question ... View more

I have just got off the phone doing that. Thanks for the input. ... View more

You can sync is by using the HA widget from the GUI interface too - which I do - and it works fine. I'll log a case and see how I go. thanks. ... View more

Oh My. I managed to get her to run an "ipconfig". Her local segment is configured thusly IP : 10.1.1.4 Router : 10.1.1.1 Mask : 255.0.0.0 Yup, she's got her local router configured to allocate a whole class "A" subnet! Of course, this overlaps my 10.10.0.0/24 VPN network quite nicely, so I'd guess that's exactly why it's failing. Thanks for confirming what I thought was the problem. ... View more

Thanks. That was my first thought - I'm trying to get a remote user to work through running "ipconfig" and get the results. It promises to be a whole new adventure in troubleshooting pain! 🙂 I'll update once (if) I get a result. ... View more

Yeah, it's worked now, thanks. ... View more

Well, I know the LDAP server is working because if I add individual users into the "allow" list one at a time, they authenticate properly. It just won't enumerate the group members. I can work around it, but I'd really like to know WHY I can't use an AD group membership for authentication. ... View more

There are no "clients" - there is one "client" - me. 🙂 I've plugged my laptop direct into the "outside" interface and assigned it my Internet router's IP address, so it's "pretending" to be the Internet. The source packet is coming from an external address, so the firewall just sees the client as another outside IP. I don't know how the server is not matching the username - I can list the users in the group from the CLI, and the username I'm entering is in the group. Is there some way to debug the agent on the server which might shed some light? Message was edited by: Darren Gibbs ... View more