Having a multi domain environment makes things a little tricky when it comes to things like DNS, VPN, authentication, etc on firewalls. So, I’m creating this running blog post to show lessons I’ve learned and picked up along the way.
The way I’ve gotten this to work is through trial and error, support calls, researching, and being creative.
Also, keep in mind this is for my particular environment. (One root domain, multiple subdomains) There may be other ways to skin the proverbial cat.
Create Service Account(s)
In order to authenticate users in AD, my environment is Windows, (RADIUS is another config) you’ll need a service account on the domain for which you are authenticating users. We had to create a service account for each domain.
Create LDAP Profile
Create an LDAP Profile for the domain, and utilize that service account you created earlier on. Add the domain controllers you will be utilizing for authentication. Here you can do unencrypted LDAP or LDAP SSL. Again, had to create one per each domain.
Create Group Mapping
Create the group mappings for the particular domain, make sure here to add the security groups needed for User-ID/VPN authentication.
Create User ID agent
For my particular configuration, in order to get it to work properly, I decided to put the user-ID agent on all root and subdomain domain controllers. I initially tried only installing on the root domain controller, but for whatever reason, we could not get this to work. In addition to adding this configuration to the firewall itself, you have to install the user-id client on a separate box. Note, there are specific versions that work better for Server 2019.
Create Authentication Profile
This is pretty straightforward. Create the auth profile and reference the correct LDAP profile. Go to the include tab and add the specific security group.
Create Authentication Sequence
This is also pretty straightforward. Add the Auth Profile to the Auth Sequence if you already have one, if not, you can create one and add it. This is not a necessary step, but if you are using the same vpn portal it will be.
*Note – For an authentication sequence, the firewall tries to match the user to an auth profile first, if not, it goes through every profile in the auth sequence to try to match the user to one.*
*Note – This is from my personal experience. I’ve run into issues where the auth sequence/profile might be a corrupted object. I have had some occasional success cloning an existing auth sequence and using that in order to successfully authenticate a user.
Add Auth Profile to VPN Config
Don’t forget to add the Authentication Profile/Sequence to the VPN configuration (Portal and Gateway).
Testing
Testing can be nerve racking. Especially when you know the configuration if fine. (wink wink) I always start with the basics first. Usually the issue is something easy like password is not working or user account is disabled. If it is not a simple AD issue, then you can break out the big guns, like calling support or going through some normal troubleshooting steps and verifying the whole configuration.
Tricks of the Trade
There are several resources and commands that have been really helpful during troubleshooting this new setup which help isolate issues to specific problems with the configuration. It gets very complicated very fast once you have multiple domain controllers, types of users, vpn portals, etc. It is very helpful first to look at logs to see if you can narrow down the reason for a specific issue you’re having. This is not only for troubleshooting VPN but a good first start with troubleshooting any issue. In reference to an earlier note, this is from my personal experience, I’ve run into issues where the auth sequence/profile might be a corrupted object. I have had some occasional success cloning an existing auth sequence and using that in order to successfully authenticate a user. However, there are multiple factors to consider when a new user is created. It could be AD replication, the AD service on the firewall, or issues with the user account. The most common error I’ve experienced in regards to this is ‘user not in allowlist’. I use the test authentication command to see if the user is able to even authenticate. Also, show user group name is helpful to see what users the firewall sees for a particular security group. If that works, its something to do with the Palo AD service, or AD replication. A reboot of the firewall restarts the service. Also refreshing the group mappings is another helpful step. (debug user-id refresh group-mapping all, debug user-id reset group-mapping all)
Check Palo Alto support website for the exact syntax for these particular commands, but this is a good place to start.
Also, this article was significant in getting User-ID agent working on our DCs. Follow the instructions or consult your Systems person if you do not support the servers in your environment
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEuCAK
Lessons Learned
Ideally, you will just have one domain, one set of users, one VPN. I do believe this is the majority of most environments. However, different companies do different things for whatever “business” reason they need to. I like to say Anything is Possible, but is it worth the time and effort getting it done. Learning something new, and challenging yourself is always a worthwhile pursuit in my opinion. This was challenging but also rewarding when it did finally work as I needed it to.
IT pro with a decade experience in the field.