https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15513#M11377 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here a doc which can help you: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4332">https://live.paloaltonetworks.com/docs/DOC-4332</A></P><P>Just keep in ming that maybe for external access your AD password are not enough strong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Setup a radius&nbsp; or new account for vpn can take time but for vpn auth it can be needed.</P><P></P><P>V.</P></BODY></HTML> Wed, 12 Jun 2013 14:07:40 GMT VinceM 2013-06-12T14:07:40Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15511#M11375 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>I have what might be a simple question. I want to authenticate to Global Protect SSL-VPN using my current Active Directory users. Do I need to have the User ID software installed on a domain server to do this? If thats needed for LDAP can one of the other server types do what I'm looking for with out the software on a server?</P><P></P><P>I have a PA-500 running 5.0. I have set-up the LDAP "server" and I have the authentication set-up but its still not working.</P><P></P><P>Also, how can I test if the LDAP connection is working right or not? Is there a test option someplace or something I should look for in the logs? Is there someplace that should display users or groups?</P><P></P><P>Thanks,</P><P>Doug</P><P></P><P></P><P><BR /> </P></BODY></HTML> Wed, 12 Jun 2013 13:50:09 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15511#M11375 jnunham 2013-06-12T13:50:09Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15512#M11376 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>You can use user-id function agentless system.</P><P>Also look at group mapping if you can see all groups or not.if ldap is ok you should see groups.</P><P>How did&nbsp; you configure auht. profile ldap ?</P></BODY></HTML> Wed, 12 Jun 2013 13:56:58 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15512#M11376 Retired Member 2013-06-12T13:56:58Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15513#M11377 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Here a doc which can help you: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4332">https://live.paloaltonetworks.com/docs/DOC-4332</A></P><P>Just keep in ming that maybe for external access your AD password are not enough strong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Setup a radius&nbsp; or new account for vpn can take time but for vpn auth it can be needed.</P><P></P><P>V.</P></BODY></HTML> Wed, 12 Jun 2013 14:07:40 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15513#M11377 VinceM 2013-06-12T14:07:40Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15514#M11378 <HTML><HEAD></HEAD><BODY><P>HI Panos,</P><P></P><P>I was able to go into group mapping and was able to get into AD and select a user group, so it does look like it can read AD. I went back to the auth profile remove "all" and added the now available AD query. But still no luck. I think I'm going to re-review everything since I've been working at it for awhile I could have the wrong profile or server selected some place.</P><P></P><P>Vince - is there a password strength check someplace between AD and the Global protect portal? The one I'm testing with right now should be ok, but I know I have users that have not very strong passwords. I guess I was counting on the system just passing the passwords through reguardless of how strong they might be.</P><P></P><P>Thanks,</P><P>Doug</P><P><BR /> </P></BODY></HTML> Wed, 12 Jun 2013 14:36:21 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15514#M11378 jnunham 2013-06-12T14:36:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15515#M11379 <HTML><HEAD></HEAD><BODY><P>For password strengh, you can configure a minimum password complexity politic in the palo but only local account ... sorry. Else this politic have to be taken in charge by the remote authent server (AD in your case).</P><P></P><P>V.</P></BODY></HTML> Wed, 12 Jun 2013 14:45:24 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15515#M11379 VinceM 2013-06-12T14:45:24Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15516#M11380 <HTML><HEAD></HEAD><BODY><P>Ok this is working, I found the missing piece in the re-review.</P><P></P><P>I had to include my new AD members group from User Identification in the Global Protect portal set-up and now its all working!! Now I can jump into deeper testing.</P><P></P><P>Thanks all.</P><P></P><P><BR /> </P></BODY></HTML> Wed, 12 Jun 2013 14:52:02 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-active-directory-accounts/m-p/15516#M11380 jnunham 2013-06-12T14:52:02Z