用户 GP 在没有凭据提示的情况下连接到新部署的门户

用户 GP 在没有凭据提示的情况下连接到新部署的门户

4373
Created On 03/24/21 08:24 AM - Last Modified 06/07/24 21:12 PM


Symptom


  • 从一个 GP 门户切换到第二个门户后,没有凭据提示。 第二个门户可以是新部署的门户。
  • GP 两个门户网站上的相关配置与身份验证配置文件(相同的身份验证服务器(如 LDAP 或半径等)和证书相同 GP 。
  • 在门户配置中检查"保存用户凭据 GP "。

Environment


  • 一个尼 Pan-OS firewall

Cause


  • 在这里,客户端连接到门户 GP1:
用户添加的图像
 
同一用户能够连接到 GP2,而无需提示密码:
 
用户添加的图像
  • 潘格帕斯向潘格帕发送了user_credential信息:
<response>
	<type>user_credential</type>
	<status>Disconnected</status>
	<protocol/>
	<portal-config-version>4100</portal-config-version>
	<error-must-show/>
	<error-must-show-level>error</error-must-show-level>
	<error/>
	<product-version>5.2.5-66</product-version>
	<product-code>&quot;{C531B514-763E-4495-A3C4-1B28C749A343}&quot;</product-code>
	<portal-status>User authentication failed</portal-status>
	<user-name/>
	<username-type>regular</username-type>
	<state>Disconnected</state>
	<check-version>no</check-version>
	<portal>gp2.paloaltonetworks.com</portal>
	<discover-ready>no</discover-ready>
	<mdm-is-enabled>no</mdm-is-enabled>
	<authentication-message>Enter login credentials</authentication-message>
	<autosubmit>no</autosubmit>
	<cc-username/>
	<auth-failed-password-empty>false</auth-failed-password-empty>
	<username-label>Username</username-label>
	<password-label>Password</password-label>
	<auth-api>no</auth-api>
</response>
 
  • PanGPA 检索用户名/密码,并使用用户凭证消息回复 PanGPS 以进行门户身份验证。
(P11236-T8552)Debug( 361): 04/12/21 17:05:24:686 Receive gps message with type user_credential.
(P11236-T8552)Debug( 799): 04/12/21 17:05:24:686 retreivePasswdFromSecureStore - password is not empty.

(P11236-T8552)Debug( 325): 04/12/21 17:05:24:686 ===> response sent to GPI = <response><type>user_credential</type><error></error><auth-message>Enter login credentials</auth-message><disabled>no</disabled></response>
(P11236-T4748)Debug(3315): 04/12/21 17:05:25:107 enum result is 0000000000000000
(P11236-T4748)Debug(3341): 04/12/21 17:05:25:107 gbCheckInsertSmardCard is false, quit the enum loop
(P11236-T9784)Debug( 611): 04/12/21 17:05:25:201 Send command to Pan Service
(P11236-T9784)Debug( 626): 04/12/21 17:05:25:201 Command = <request><type>user_credential</type><portal>gp2.paloaltonetworks.com</portal><pid>11236</pid>
<user>paloalto</user><passwd>*********</passwd><checkupdate>no</checkupdate><allow-cached-portal>yes</allow-cached-portal><remember-me>yes</remember-me>
<manual-select-gateway-ip></manual-select-gateway-ip><portal-certificate-verification>yes</portal-certificate-verification><win-user>user1</win-user>
<proxy-auto-detect>1</proxy-auto-detect><proxy-config-url></proxy-config-url><proxy></proxy><proxy-bypass></proxy-bypass><user-profile-type>0</user-profile-type>
<preferred-gateway></preferred-gateway><preferred-gateway-address></preferred-gateway-address><saved-user>paloalto</saved-user><saved-passwd>********</saved-passwd>
<portal-2fa>no</portal-2fa><use-ssl-tunnel>no</use-ssl-tunnel><pre-logon-then-on-demand>no</pre-logon-then-on-demand><domain>089A56DD-3791-4</domain>
<default-browser>0</default-browser></request>
 
  • 这是预期的行为,因为新的门户配置不会生效,直到它成功连接。当我们从门户 A 切换到 B ,在连接之前 B ,PanGP 仍然使用门户 A 的缓存配置。

Resolution


  • 如果需要提示用户获得凭据,则必须将"保存用户凭据"设置 NO 为(或仅保存用户名")以用于 GP 网络中的所有 VPN
用户添加的图像
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UvICAU&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language