- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-11-2013 12:37 PM
Hi all,
We'd like to use an Active Directory group in our root domain (e.g. "company.com") to control GlobalProtect authentications. Let's name this AD group "VPN Access" (it's a "Universal" Security Group). It contains user objects from the root domain itself but also from other subordinate domains like "branch1.example.com". Unfortunately, our PA-2050 ignores all foreign users added to this group. All root-domain users are visible when executing the following CLI command:
show user group name "cn=vpn access,ou=usergroups,dc=example,dc=com"
The LDAP profile connects to a Global Catalog Active Directory server in the root domain ("example.com") and is configured with the following settings on the PA:
Is there any way to force the PA to recognize the sub-domain users in this parent domain group?
Thanks in advance!
Oliver
06-11-2013 01:23 PM
i belive you should configure the port for the global catalog and not the regular ldap port:
if this DC is GC then configure:
3269 - for ssl connection (this i am not sure the defaults, you may try first unencrypted)
3268- for unencrypted connection
06-11-2013 01:23 PM
i belive you should configure the port for the global catalog and not the regular ldap port:
if this DC is GC then configure:
3269 - for ssl connection (this i am not sure the defaults, you may try first unencrypted)
3268- for unencrypted connection
06-11-2013 02:00 PM
That's it, thank you very much dorm! I didn't know that Global Catalog uses a different port. 3269 works with SSL by the way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!