Connection to GlobalProtect is Failing with Error "Matching client config not found"
Created On 04/16/19 13:47 PM - Last Modified 04/16/19 19:50 PM
- GlobalProtect configured on the firewall
- When logging in to GlobalProtect portal using a web browser, authentication is successful
- Per the system logs, authentication to the portal and gateway is successful; however, GlobalProtect fails with the below error
GlobalProtect portal and gateway configured with User/UserGroup config selection criteria
This could happen when GlobalProtect gateway is configured with User/User group, and the username being used by the client is not on the list or the username is not on the member list of Active Directory Group added under User/User group.
- User/User group can be configured by navigating to Network > GlobalProtect > Gateway, click the Gateway name > Agent > Client Settings > Config Selection Criteria tab.
- Sometimes this issue is seen when the username learnt via GlobalProtect doesn't match the username format in the group-mapping table.
Step 1: Make sure the username that the client is trying to connect is added in the User/User group.
Step 2: If the user is a member of an AD group, make sure the AD group is added in the User/User group.
Step 3: If the username or AD Group is already added, you may need to also check "Domain User" config in User-ID Group Mapping settings and Authentication Profile.
For instance, the user is trying to connect to GlobalProtect with username gpuser.
If the GlobalProtect gateway's User/User group is configured with an AD Group ( lets say cn=it_operations,cn=users,dc=pandomain,dc=com), check the output of below command:
> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com source type: service source: AD_Group_Mapping_al.com [1 ] pandomain\gpuser [2 ] pandomain\alex [3 ] pandomain\paloaltouser
In this case, username gpuser will not match pandomain\gpuser in group mapping table. Configuring "User Domain" with pandomain in Authentication Profile will fix the issue.
For additional information, here are some article for reference: