topic Re: Restrict VPN access to AD group in General Topics

Restrict VPN access to AD group

g_sipp — Mon, 06 Feb 2012 22:43:45 GMT

Hi,

I want to give a VPN ipsec access to a group of users.

In GlobalProtect Portal | Client Configuration, I set the AD group in Source User.

My problem : all the users in the AD OU have access to the VPN despite they're not in the group.

I must have missed something ...

Someone already had this issue ?

Thanx.

Re: Restrict VPN access to AD group

rmonvon — Wed, 08 Feb 2012 04:34:11 GMT

Hi...When you define the Authentication Profile, you would select the desired AD group(s) under the 'Allow List'. You then set Global Protect to use this auth profile and only those users in these group will be permitted.

Thanks.

Re: Restrict VPN access to AD group

paloalto.nis — Wed, 08 Feb 2012 11:03:15 GMT

Hi,

In Authentication Profile, under the 'Allow List', I can't see my AD groups.

I’ve tried to manually enter the group name but it doesn't work.

In User Identification | Group Mapping, I've been able to include all the AD groups I want to use. And I can see these groups in GlobalProtect Portal | Client Configuration | Source User.

Thanx

Re: Restrict VPN access to AD group

g_sipp — Wed, 08 Feb 2012 11:06:48 GMT

Hi,

In Authentication Profile, under the 'Allow List', I can't see my AD groups.

I’ve tried to manually enter the groups but it doesn’t work.

In User Identification | Group Mapping, I've been able to include all the AD groups I want to use. And I can see these groups in GlobalProtect Portal | Client Configuration |Source User.

Thanx

Re: Restrict VPN access to AD group

rmonvon — Wed, 08 Feb 2012 15:07:51 GMT

Within the Authentication Profile, please make sure you set the authentication=LDAP and set the Server Profile=LDAP server.

Also, what version of PAN-OS are you running?

Re: Restrict VPN access to AD group

g_sipp — Wed, 08 Feb 2012 15:42:28 GMT

Within the Authentication Profile, authentication was already set to LDAP and the Server Profile was already set.

I'm running PAN-OS 4.1.2.

Re: Restrict VPN access to AD group

rmonvon — Thu, 09 Feb 2012 02:01:05 GMT

If your network has many AD groups, we may not be able to display all the groups. Maybe you can type in a few letters and allow the system to search for groups matchin those letter. If that does not work and you have tried manually typing in the group names, then I suggest you open a case with support. Thanks.

Re: Restrict VPN access to AD group

g_sipp — Thu, 09 Feb 2012 11:42:15 GMT

Thank you very much for your help.

I'll open a case.

Re: Restrict VPN access to AD group

kamish — Thu, 09 Feb 2012 15:15:44 GMT

I beleive that this is a bug. We are also running 4.1.2 and I cannot set any OUs in our authentication profile either! Please update when you get your case resolved.

Thanks!!

Re: Restrict VPN access to AD group

rmonvon — Mon, 13 Feb 2012 22:00:17 GMT

Yes, it has been identified as a bug and is targeted to be fixed in the next release, 4.1.3. The workaround is to set the Allow List to 'all' under the Authentication Profile and define a Security Rule to allow access only to the specific AD group. Thanks.

Re: Restrict VPN access to AD group

g_sipp — Tue, 14 Feb 2012 08:50:02 GMT

OK, thanks again for your help.

Re: Restrict VPN access to AD group

cnamurdc — Tue, 22 Jan 2013 09:22:41 GMT

Hi there,

I'm running release 5.0.0, and I'm facing a similar problem.

For a vpn access, I created an authentication profile for a ldap group of users. In the allow list, the existing ldap groups are not displayed, so I cannot select the desired group.

It seems to be related to the bug mentionned in this thread, doesn't it?

Was this bug not fixed?

Thanks for your help.

Re: Restrict VPN access to AD group

SCoupland — Thu, 07 Feb 2013 23:18:48 GMT

This bug was fixed in 4.1.4 I believe. Have you added the LDAP groups you wish to use under Device-> User Identification-> Group Mappings? Do they show up in the CLI when you perform a "show user group name ?" ?

Re: Restrict VPN access to AD group

cnamurdc — Mon, 11 Feb 2013 11:23:47 GMT

In fact, after having added the LDAP groups in Group Mappings, they appeard in the CLI and I can select them in the allow list.

However, it is not working properly while testing. A user belonging to one LDAP group cannot be authenticated with the corresponding Authentication Profile.

After a talk with a Palo Alto representative, it seems to be a bug and a case has been opened.

Thanks.

Re: Restrict VPN access to AD group

LCMember2262 — Thu, 04 Apr 2013 09:51:48 GMT

Has this bug been squashed? I'm setting my groups under the authentication profile and I still can't authenticate myself unless I use All.

Re: Restrict VPN access to AD group

cnamurdc — Thu, 04 Apr 2013 10:07:32 GMT

No news about that so far.

We wanted to distinguish the users in order to filter their access to the IT ressources.

So we use a workaround by specifying the user LDAP group directly in the policies.

Re: Restrict VPN access to AD group

filipe — Thu, 04 Apr 2013 13:18:05 GMT

Hello,

In PanOS 5.0.1 and 5.0.3, I have successfully specified which group has access to GP vpn by setting Client Configuration > User/User Group. Just make sure your group mappings is correctly set.

Hope it helps.

Re: Restrict VPN access to AD group

LCMember2262 — Fri, 05 Apr 2013 03:26:08 GMT

okay i found the answer in another post. It wasn't authenticating because the domain was missing in the ldap server profile. It's weird that I can still login when I select any user in the authentication profile, but doesn't work when i narrow down to a single group.

Re: Restrict VPN access to AD group

SCoupland — Tue, 16 Apr 2013 11:11:39 GMT

I believe that's because when using a specific group/user it's checking the account against the account on device before passing it to LDAP to check whether the username/password is valid on the LDAP server. When you select all it skips the check and simply passes to the LDAP server. It's always worth tailing the authd.log on the device when troubleshooting authentication profile issues as it will highlight problems such as missing domain names to you.