如何使用身份验证序列 GlobalProtect 处理本地帐户和 LDAP 帐户

如何使用身份验证序列 GlobalProtect 处理本地帐户和 LDAP 帐户

28767
Created On 10/16/20 20:42 PM - Last Modified 04/03/23 14:54 PM


Objective


  • 本文旨在帮助客户配置 GlobalProtect 与具有 LDAP 身份验证序列的本地帐户和帐户一起工作。

Environment


  • 帕洛阿尔托网络 Firewall
  • LDAP 和本地用户数据库身份验证配置文件

 

Procedure


 

  1. 配置身份验证序列,并通过导航到 设备>身份验证序列添加身份验证配置文件,>选择"添加"
注意:帕洛阿尔托网络 firewall 不支持 SAML 身份验证序列上的身份验证。

 

显示身份验证序列对话框的快照
 

 

  1. 根据 网络 GlobalProtect >>门户>选择门户>身份验证>客户端身份验证选项卡,修改现有或添加客户端身份验证,并选择在身份验证配置文件下的第 1 步创建的身份验证序列并进行选择 OK

 

显示 GlobalProtect 门户客户端身份验证对话框的快照

 

  1. GlobalProtect网关配置(客户端身份验证选项卡)重复相同的步骤。

 

显示 GlobalProtect 网关客户端身份验证对话框的快照。

 

 
  1. 在 Firewall .
  2. 请尝试 GlobalProtect App 使用身份验证配置文件下步骤1上创建的身份验证序列进行连接。
     

 

Additional Information


  • 身份验证序列是一组身份验证配置文件,该配置文件 firewall 在用户登录时尝试用于身份验证。
  • 从 firewall 列表顶部按顺序尝试配置文件,到底部应用每个配置文件的身份验证,直到一个配置文件成功验证用户。
  • firewall如果序列中的所有配置文件无法验证,则唯一拒绝访问。
  • 例如:
  1. 如果服务器用户群中存在用户"ldapuser", LDAP 则它将针对 LDAP 身份验证配置文件进行身份验证。
  2. 如果用户"本地用户"是本地的一部分 DB ,那么它将首先尝试针对 LDAP 身份验证配置文件(用户不存在)进行身份验证,然后它会回到本地身份验证配置文件并进行身份验证。
  3. 如果用户"ldapuser"同时存在于 LDAP 用户组和本地用户组中 DB ,则它将针对 LDAP 身份验证配置文件进行身份验证。 只有在 DB LDAP 服务器未响应或向下响应时,它才会退回到本地身份验证配置文件。
  • 使用凭据时的身份验证日 LDAP 志。
debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1018): get domain for vsys1/LDAP-Local-Auth-Seq  <<<<<<<<<<<<<Auth sequence
debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "LDAP-Auth", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)  <<<<<<<<< LDAP-Authentication on top of the list
debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "Local-Auth", vsys "vsys1" (method: local) has sso hash table id: 0 (0 means no or invalid keytab)  <<<<<<<<<<<< Local Authentication second in the list
debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "ldapuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158348
debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "ldapuser" ; auth  profile "LDAP-Local-Auth-Seq" ; vsys "vsys1"
debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (LDAP-Local-Auth-Seq/vsys1) is auth sequence
debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:628): This is a single vsys platform, group check for allow list is performed on "vsys1"
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "ldapuser" with <profile: "LDAP-Auth", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1">
debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth success
debug: pan_auth_response_process(pan_auth_state_engine.c:4336): Authentication success: <profile: "LDAP-Auth", vsys: "vsys1", username "ldapuser">
authenticated for user 'ldapuser'.   auth profile 'LDAP-Local-Auth-Seq', vsys 'vsys1', server profile 'DC1.AAVNI.COM', server address '172.16.3.10', From: 172.16.0.11.  <<<<<<<<<< user “ldapuser” is authenticated against the LDAP-Auth profile
 
  • 使用本地凭据时的身份验证日 DB 志。
debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1018): get domain for vsys1/LDAP-Local-Auth-Seq
debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "LDAP-Auth", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab)
debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "Local-Auth", vsys "vsys1" (method: local) has sso hash table id: 0 (0 means no or invalid keytab)
debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "localuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158353
debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "localuser" ; auth  profile "LDAP-Local-Auth-Seq" ; vsys "vsys1"
debug: _get_authseq_profile(pan_auth_util.c:876): Auth profile/vsys (LDAP-Local-Auth-Seq/vsys1) is auth sequence
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "localuser" with <profile: "LDAP-Auth", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1">
Error:  _parse_ldap_bind_result(pan_authd_shared_ldap.c:282): bind failed (extracted from parsed bind result) (code: 49) (string: Invalid credentials) (additional info: 80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 57, v4563)
Error:  _parse_ldap_bind_result(pan_authd_shared_ldap.c:286): wrong password was provided
Error:  pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1243): User "localuser" is REJECTED (msgid = 25, LDAPp=0x555557cea870)
debug: pan_authd_ldap_authenticate(pan_authd_shared_ldap.c:1326): binding back to binddn: CN=PaloAlto Service Account,CN=Managed Service Accounts,DC=AAVNI,DC=COM (Try 1)
debug: pan_authd_ldap_bind(pan_authd_shared_ldap.c:634): binding with binddn CN=PaloAlto Service Account,CN=Managed Service Accounts,DC=AAVNI,DC=COM
debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth failed
     <<<<<<<<<<<<<<<<  Failed for LDAP-Auth since user trying to authenticate is not part of LDAP user group 
debug: pan_auth_response_process(pan_auth_state_engine.c:4465): Auth sequence, start to try next auth profile: <profile: "Local-Auth", vsys: "vsys1"> for user "localuser"
debug: pan_auth_request_process(pan_auth_state_engine.c:3375): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 76, body length 2448
debug: _authenticate_initial(pan_auth_state_engine.c:2387): Trying to authenticate (init auth): <profile: "LDAP-Local-Auth-Seq", vsys: "vsys1", policy: "", username "localuser"> ; timeout setting: 115 secs ; authd id: 6880508432479158353
debug: _authenticate_initial(pan_auth_state_engine.c:2491): Using auth sequence, copying original username localuser into request
debug: _get_auth_prof_detail(pan_auth_util.c:1089): non-admin user thru Global Protect "localuser" ; auth sequence profile "LDAP-Local-Auth-Seq" ; vsys "vsys1"
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1833): Authenticating user "localuser" with <profile: "Local-Auth", vsys: "vsys1">, which is Auth Profile 2 of 2 in <sequence "LDAP-Local-Auth-Seq", vsys "vsys1">
debug: pan_auth_response_process(pan_auth_state_engine.c:4315): auth status: auth success
debug: pan_auth_response_process(pan_auth_state_engine.c:4336): Authentication success: <profile: "Local-Auth", vsys: "vsys1", username "localuser">
authenticated for user 'localuser'.   auth profile 'LDAP-Local-Auth-Seq', vsys 'vsys1', From: 172.16.0.11.  <<<<<<<<<<<< user name "localuser" got authenticated with Local-Auth which is second in the list on Auth Sequence.
 


 



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBEPCA4&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language