Connection to GlobalProtect is Failing with Error "Matching client config not found"

Connection to GlobalProtect is Failing with Error "Matching client config not found"

143605
Created On 04/16/19 13:47 PM - Last Modified 04/16/19 19:50 PM


Symptom
  • GlobalProtect configured on the firewall
  • When logging in to GlobalProtect portal using a web browser, authentication is successful
  • Per the system logs, authentication to the portal and gateway is successful; however, GlobalProtect fails with the below error
User-added image

System Logs:
User-added image


Environment
GlobalProtect portal and gateway configured with User/UserGroup config selection criteria

Cause
This could happen when GlobalProtect gateway is configured with User/User group, and the username being used by the client is not on the list or the username is not on the member list of Active Directory Group added under User/User group.
  • User/User group can be configured by navigating to Network > GlobalProtect > Gateway, click the Gateway name > AgentClient Settings > Config Selection Criteria tab.
  • Sometimes this issue is seen when the username learnt via GlobalProtect doesn't match the username format in the group-mapping table.


Resolution
Step 1: Make sure the username that the client is trying to connect is added in the User/User group.
Step 2: If the user is a member of an AD group, make sure the AD group is added in the User/User group.
Step 3: If the username or AD Group is already added, you may need to also check "Domain User" config in User-ID Group Mapping settings and Authentication Profile.

For instance, the user is trying to connect to GlobalProtect with username gpuser.

If the GlobalProtect gateway's User/User group is configured with an AD Group ( lets say cn=it_operations,cn=users,dc=pandomain,dc=com), check the output of below command:
> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser

In this case, username gpuser will not match pandomain\gpuser in group mapping table. Configuring "User Domain" with pandomain in Authentication Profile will fix the issue.
 


Additional Information
For additional information, here are some article for reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClokCAC
h
ttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliyCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLc9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language