Issue
GlobalProtect and/or Captive Portal users fail authentication when the Authentication Profile has specific filtered groups. The users appear to be in the group that makes up the allow list. However, the message "user not in allow list" still appears. If the allow list is changed to have "all" rather than specific groups, the user authenticates fine.
Resolution
This happens where the device might have been previously configured as a multi-vsys device. If, at that time, the authentication profile was created as a "shared" authentication profile, this would work fine. When the device configuration changes to be a single vsys device, the authentication profile may still be a "shared" profile (but with the single vsys). The device is no longer able to read the "shared" authentication profile.
When troubleshooting, run the following CLI command to show that the users are part of the group:
> show user group name <name>
When this group is referenced in the menu for the authentication profile, the user fails authentication. To get around this issue, create an authentication profile that is not shared and is vsys specific. The authentication profile then reads the groups correctly and authentication will work correctly, as the users are read as part of the group.
owner: sjamaluddin