Palo Alto Networks Knowledgebase: GlobalProtect Login Fails When Using a Group in the Allow List

GlobalProtect Login Fails When Using a Group in the Allow List

19437
Created On 08/05/19 20:22 PM - Last Updated 08/05/19 20:36 PM
VPNs
Resolution

Issue

When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"

 

However, the login works fine if the allow list is set to "all" in the authentication profile.

 

Resolution

  1. Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings:
    Group Mapping.pngGroup Mapping

  2. Confirm that the group in question contains the user attempting to login.
    Run the CLI command: show user group name <value>

    For example:
    > show user group name pantac\vpn-user
    short name:  pantac\vpn-user

    source type: ldap
    source:      Pantac2003

    [1     ] pantac\user1
    [2     ] pantac\admin1
    [3     ] pantac\administrator
    [4     ] pantac\user2
    [5     ] pantac\user4

  3. Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases.

    The LDAP server profile is under Device > Server Profiles > LDAP
    LDAP server account.png
    In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings : User Domain.pngUser Domain 
    In PAN-OS 8.0 the User Domain can also be controlled in the Authentication ProfileAuthentication Profile.pngUser Domain in the Authentication Profile
  4. Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command.
    Authentication Allow List.pngAuthentication Profile Allow List

 

owner: jteestel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClizCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language