如何使用身份验证序列 GlobalProtect 处理本地帐户和 LDAP 帐户
28767
Created On 10/16/20 20:42 PM - Last Modified 04/03/23 14:54 PM
Objective
- 本文旨在帮助客户配置 GlobalProtect 与具有 LDAP 身份验证序列的本地帐户和帐户一起工作。
Environment
- 帕洛阿尔托网络 Firewall
- LDAP 和本地用户数据库身份验证配置文件
Procedure
- 配置身份验证序列,并通过导航到 设备>身份验证序列添加身份验证配置文件,>选择"添加"
注意:帕洛阿尔托网络 firewall 不支持 SAML 身份验证序列上的身份验证。
- 根据 网络 GlobalProtect >>门户>选择门户>身份验证>客户端身份验证选项卡,修改现有或添加客户端身份验证,并选择在身份验证配置文件下的第 1 步创建的身份验证序列并进行选择 OK
- GlobalProtect网关配置(客户端身份验证选项卡)重复相同的步骤。
- 在 Firewall .
- 请尝试 GlobalProtect App 使用身份验证配置文件下步骤1上创建的身份验证序列进行连接。
Additional Information
- 身份验证序列是一组身份验证配置文件,该配置文件 firewall 在用户登录时尝试用于身份验证。
- 从 firewall 列表顶部按顺序尝试配置文件,到底部应用每个配置文件的身份验证,直到一个配置文件成功验证用户。
- firewall如果序列中的所有配置文件无法验证,则唯一拒绝访问。
- 例如:
- 如果服务器用户群中存在用户"ldapuser", LDAP 则它将针对 LDAP 身份验证配置文件进行身份验证。
- 如果用户"本地用户"是本地的一部分 DB ,那么它将首先尝试针对 LDAP 身份验证配置文件(用户不存在)进行身份验证,然后它会回到本地身份验证配置文件并进行身份验证。
- 如果用户"ldapuser"同时存在于 LDAP 用户组和本地用户组中 DB ,则它将针对 LDAP 身份验证配置文件进行身份验证。 只有在 DB LDAP 服务器未响应或向下响应时,它才会退回到本地身份验证配置文件。
- 使用凭据时的身份验证日 LDAP 志。
debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1018): get domain for vsys1/LDAP-Local-Auth-Seq <<<<<<<<<<<<<Auth sequence debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "LDAP-Auth", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab) <<<<<<<<< LDAP-Authentication on top of the list debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "Local-Auth", vsys "vsys1" (method: local) has sso hash table id: 0 (0 means no or invalid keytab) <<<<<<<<<<<< Local Authentication second in the list debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "ldapuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158348 debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "ldapuser" ; auth profile "LDAP-Local-Auth-Seq" ; vsys "vsys1" debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (LDAP-Local-Auth-Seq/vsys1) is auth sequence debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:628): This is a single vsys platform, group check for allow list is performed on "vsys1" debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "ldapuser" with <profile: "LDAP-Auth", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1"> debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth success debug: pan_auth_response_process(pan_auth_state_engine.c:4336): Authentication success: <profile: "LDAP-Auth", vsys: "vsys1", username "ldapuser"> authenticated for user 'ldapuser'. auth profile 'LDAP-Local-Auth-Seq', vsys 'vsys1', server profile 'DC1.AAVNI.COM', server address '172.16.3.10', From: 172.16.0.11. <<<<<<<<<< user “ldapuser” is authenticated against the LDAP-Auth profile
- 使用本地凭据时的身份验证日 DB 志。
debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1018): get domain for vsys1/LDAP-Local-Auth-Seq debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "LDAP-Auth", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab) debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "Local-Auth", vsys "vsys1" (method: local) has sso hash table id: 0 (0 means no or invalid keytab) debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "localuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158353 debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "localuser" ; auth profile "LDAP-Local-Auth-Seq" ; vsys "vsys1" debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (LDAP-Local-Auth-Seq/vsys1) is auth sequence debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "localuser" with <profile: "LDAP-Auth", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1"> Error: _parse_ldap_bind_result(pan_authd_shared_ldap.c:282): bind failed (extracted from parsed bind result) (code: 49) (string: Invalid credentials) (additional info: 80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 57, v4563) Error: _parse_ldap_bind_result(pan_authd_shared_ldap.c:286): wrong password was provided Error: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1243): User "localuser" is REJECTED (msgid = 25, LDAPp=0x555557cea870) debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1326): binding back to binddn: CN=PaloAlto Service Account,CN=Managed Service Accounts,DC=AAVNI,DC=COM (Try 1) debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:634): binding with binddn CN=PaloAlto Service Account,CN=Managed Service Accounts,DC=AAVNI,DC=COM debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth failed <<<<<<<<<<<<<<<< Failed for LDAP-Auth since user trying to authenticate is not part of LDAP user group debug: pan_auth_response_process(pan_auth_state_engine.c:4465): Auth sequence, start to try next auth profile: <profile: "Local-Auth", vsys: "vsys1"> for user "localuser" debug: pan_auth_request_process(pan_auth_state_engine.c:3375): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 76, body length 2448 debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "localuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158353 debug: _authenticate_initial(pan_auth_state_engine.c:2491): Using auth sequence, copying original username localuser into request debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "localuser" ; auth sequence profile "LDAP-Local-Auth-Seq" ; vsys "vsys1" debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "localuser" with <profile: "Local-Auth", vsys: "vsys1">, which is Auth Profile 2 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1"> debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth success debug: pan_auth_response_process(pan_auth_state_engine.c:4336): Authentication success: <profile: "Local-Auth", vsys: "vsys1", username "localuser"> authenticated for user 'localuser'. auth profile 'LDAP-Local-Auth-Seq', vsys 'vsys1', From: 172.16.0.11. <<<<<<<<<<<< user name "localuser" got authenticated with Local-Auth which is second in the list on Auth Sequence.
- 您可以在以下链接中阅读更多有关身份验证配置文件和序列: