User is not in Allow List when Authentication Profile is configured in a shared location in PAN-OS 10.1

User is not in Allow List when Authentication Profile is configured in a shared location in PAN-OS 10.1

22592
Created On 07/14/22 20:33 PM - Last Modified 05/10/24 02:29 AM


Symptom


  • After upgrading to 10.1.x , unable to connect GP VPN due to authentication failure.
  • From GlobalProtect log and authd log , observe the authentication getting failed with error code 1 . 
    -0500 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5410): Check allow list status for User1 (PingFED-Prod_Profile/vsys3)
-0500 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:786): user "User1" is NOT in allow list of auth prof/vsys "PingFED-Prod_Profile/vsys3" (vsys in request "vsys3")
-0500 Error: pan_allowlist_request_process(pan_auth_allow_lock.c:77): Failed to get allow list status for user User1/vsys3/PingFED-Prod_Profile
-0500 SAML SSO authentication failed for user 'User1'. Reason: User is not in allowlist. auth profile 'PingFED-Prod_Profile', vsys 'vsys3', server profile 'PingFED-Prod-iDP_Profile', 
IdP entityID 'sso:saml2:nelnet:entityid', reply message 'User "User1" is not in allow list' From: x.x.x.y.
-0500 debug: _log_saml_respone(pan_auth_server.c:397): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7117108164952064060) (SAML err code "1" means NOT in allow list) (return username 'User1') (auth profile 'PingFED-Prod_Profile') (reply msg 'User "User1" is not in allow list') 
(NameID 'User1') (SessionIndex 'Df34lAHIKjwglvDU2btD4XnWRJ.') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')

Environment


  • PAN-OS 10.1.x
  • Palo Alto Firewall - Multi Vsys configured.
  • GlobalProtect VPN with Authentication Profile

Cause


  • In PAN-OS version 10.1 and greater, the authentication call request is sent with specific vsys (eg.,vsys3) and the authentication profile is defined in shared. Thus the allow list could not find the authentication profile and fails the allow list check.
  • Prior to version 10.1, the authentication request was made in a shared location.

Resolution


  1. The issue is fixed under PAN-190454.
  2. Upgrade to the fixed versions (10.2.4 or higher, 10.1.9 or higher) will fix the issue.
  3. As a workaround, changing the Authentication Profile from shared location to specific vsys will also fix the issue.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqYKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language