Connection to GlobalProtect is failing with error "You are not authorized to connect to GlobalProtect Portal"

Connection to GlobalProtect is failing with error "You are not authorized to connect to GlobalProtect Portal"

100793
Created On 04/08/19 14:10 PM - Last Modified 04/15/19 22:52 PM


Symptom
  • GlobalProtect configured on the Firewall.
  • When login to GP Portal using Web-Browser, authentication is successful.
  • When try to connect via GlobalProtect client, it fails with error "You are not authorized to connect to GlobalProtect Portal"

        User-added image

System Logs:

        User-added image


Environment
Global Protect Portal and Gateway configured with User/UserGroup Config Selection Criteria.

Cause
  • This could happen when GlobalProtect Portal is configured with User/User Group and the username using which the client is trying to connect is not in the list or the username is not in the member list of AD Group added under User/User Group.
  • User/User Group can be configured by navigating to Network > GlobalProtect > Portal, Click the Portal name> Agent > Click on Agent Config> Config Selection Criteria tab.
  • Sometimes this issue is seen when username learnt via GlobalProtect doesn't match the username format in the group-mapping table.


Resolution
  1. Make sure, the username using which the client is trying to connect is added in the User/User Group.
  2. If the user is member of an AD Group, make sure the AD group is added in the User/User Group.
  3. If the username or AD Group is already added, you may need to further check "Domain User" config in User ID Group Mapping settings and Authentication Profile.

For instance, User is trying to connect to GP using username gpuser.
If the GP Portal's User/User Group is configured with an AD Group ( lets say cn=it_operations,cn=users,dc=pandomain,dc=com), check the output of below command:
> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser
In this case, username gpuser will not match pandomain\gpuser in group mapping table.
Configuring "User Domain" with pandomain in Authentication profile will fix the issue.

Here are some article for reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClokCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliyCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK


Additional Information
Below command for reference:
show user group list
show user group name "Group_Name"
show user user-ids match-user <username>



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLSO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language