Connection to GlobalProtect is failing with error "You are not authorized to connect to GlobalProtect Portal"

• GlobalProtect configured on the Firewall.
• When login to GP Portal using Web-Browser, authentication is successful.
• When try to connect via GlobalProtect client, it fails with error "You are not authorized to connect to GlobalProtect Portal"

• This could happen when GlobalProtect Portal is configured with User/User Group and the username using which the client is trying to connect is not in the list or the username is not in the member list of AD Group added under User/User Group.
• User/User Group can be configured by navigating to Network > GlobalProtect > Portal, Click the Portal name> Agent > Click on Agent Config> Config Selection Criteria tab.
• Sometimes this issue is seen when username learnt via GlobalProtect doesn't match the username format in the group-mapping table.

1. Make sure, the username using which the client is trying to connect is added in the User/User Group.
2. If the user is member of an AD Group, make sure the AD group is added in the User/User Group.
3. If the username or AD Group is already added, you may need to further check "Domain User" config in User ID Group Mapping settings and Authentication Profile.

> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser

show user group list

show user group name "Group_Name"

show user user-ids match-user <username>