topic Re: Two Subnets For Two Group Of People in General Topics

Two Subnets For Two Group Of People

mikealanni — Mon, 10 Oct 2016 15:12:58 GMT

Hi,

Can one help me how to configure two groups of people that use GP as a VPN client?

let say I have user 1-5 needs to access my inside firewall with subnet 192.168.1.0/24

and I have users 6-10 needs to access my inside and couple of the IPsec tunnel to reach inside of other firewalls with subnet 192.168.2.0/24

Is there a way to do it by multiple gateways or any other way?

PANOS 7.14h2

GP 3.1.1

no local user database

Re: Two Subnets For Two Group Of People

bmorris1 — Tue, 11 Oct 2016 15:35:02 GMT

Hi Mikelanni,

Yes you can do this by navigating to your GP gateway configuration and in the agent menu:

In the client settings tab you can add a seperate client setting for your different user groups which you can configure them to have different subnets/access routes etc.

hope this helps,

Ben

Re: Two Subnets For Two Group Of People

mikealanni — Tue, 11 Oct 2016 14:23:59 GMT

I tried that with LDAP group but never works (no idea why and I don't recall the error i got it from GP client need to test again and check what was the error) looks it not get the users from the group.

also do you give VPN users same subnet to your inside networks? as I always give them another subnet

Re: Two Subnets For Two Group Of People

bmorris1 — Tue, 11 Oct 2016 15:11:10 GMT

Hi Mikealanni,

In that case it would be worth taking a look at your group mapping settings and making sure your users are mapped to the groups correctly.

The configuration info on group mapping can be found here:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/map-users-to-groups#74222

Additionally there is a nice guide on how to troubleshoot the various aspects of user-id here, you would need to use the CLI to check what users are mapped to which groups:

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-IP-Mapping/ta-p/59072

CLI command to show user and their group mapping info:

> show user user-ids

Filter it down to a single user:

> show user user-ids match-user (user name)

Actually you would want your GP VPN users in seperate subnets as the local network to avoid any layer 2 issues, the screenshot was a bit hurried by me. I will modify it 🙂

hope this helps,

Ben

Re: Two Subnets For Two Group Of People

mikealanni — Tue, 11 Oct 2016 16:22:01 GMT

Firewall group working and I can see my users ( show user user-ids) in format

domain\first.last

if I used that format in GP client I got error authentication failed but If I use first.last format only I got assign private ip failed

here is what it showing in my group map

domain\mike.alani vsys1 cn=vpnadmin,ou=groups,ou=XXX,ou=services,ou=xxxx,dc=domain,dc=xxx,dc=xxx

just changed couple info with xxx

Here is so far what I've found

if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect

if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed

if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed

Re: Two Subnets For Two Group Of People

bmorris1 — Tue, 11 Oct 2016 16:23:21 GMT

Hi Mikelanni,

My advice would be to follow these steps in the troubleshooting guide for the private IP address assign issue:

Check if the IP address pool has enough IPs
Check if the IP pool does not overlaps with the IP of the Client PC.
Check if the User Group used in Global Protect -> gateway -> Client Configuration -> Network Setting is properly included in the Group Mappings on the firewall and firewall is able to fetch the group from the AD server.
Check if the user belongs to the correct group as mentioned in the Network Settings of Client Configuration under GP gateway.

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-GlobalProtect/ta-p/75770

Additionally check the 'remote users' part in the info section of the GP gateways and disconnect any existing sessions from your user that you may have.

Your authentication profile is likely set up to include the domain field during authentication, so that is why the format 'domain\first.last' is failing when you try this as the firewall would see it as 'domain\domain\first.last'

If you still have trouble after trying this then it would need a deeper look so might be worth raising a support ticket.

hope this helps,

Ben

Re: Two Subnets For Two Group Of People

mikealanni — Tue, 11 Oct 2016 16:30:10 GMT

Here is so far what I've found

if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect

if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed

if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed

Re: Two Subnets For Two Group Of People

mikealanni — Thu, 13 Oct 2016 17:17:12 GMT

found what was the error

I tried couple users with their machines and it was working but my desktop was not then I figured out that when I capitalize my first letter from mike to Mike that made the GP connect and no error.

The weird thing is when I use mike in another laptop it is working 🙂

Re: Two Subnets For Two Group Of People

mikealanni — Thu, 20 Oct 2016 20:55:28 GMT

ok, solve this issue

first I figured that my desktop if I use mike.alani it will not match the LDAP group but If I used Mike.alani then it will match (other computers have not face this issue)

upgrading the firewall to 7.1.5 solve the issue with my desktop!!!