GlobalProtect : Need a VPN that separates users into different VLANs; is this possible w/o Panorama?

andersone — Wed, 02 Nov 2016 22:05:25 GMT

I need my client VPN to support different vlans based upon authentication to either Microsoft NPS or LDAP groups.
I want a different vlan/IP assigned to the user depending on which group in Active Directory they are in.

Is this configuration possible without purchasing Panorama?

Thanks!

Re: GlobalProtect : Need a VPN that separates users into different VLANs; is this possible w/o Panor

hzayed — Thu, 03 Nov 2016 21:23:33 GMT

Hi!

In the Gateway configuraiton, you can assign the client configuration to apply specifically to a group of users. In the client configuartion, you can choose the IP pool and the access route.

Network > GlobalProtect > Gateways > Agent > Client Settings

User/User Group tab	Specify the user or user group and client operating system to which this agent configuration applies.
User/User Group	Add a specific user or user group to which this configuration applies. Note: You must configure group mapping (Device > User Identification > Group Mapping Settings) before you can select users and groups. You can also create configurations that are deployed to agents or apps in pre-logonmode (before the user logs in to the endpoint) or configurations to deploy to anyuser.

Furthermore, when the user connects to GlobalProtect, the firewall will save the user to IP mapping, you can simply configure security policies based on the user group.

I'm not sure how Panorama is relevant here, you can do the above with or without Panorama.

Hope it helps.

Best regards,

Haytham

topic GlobalProtect : Need a VPN that separates users into different VLANs; is this possible w/o Panorama? in General Topics

GlobalProtect : Need a VPN that separates users into different VLANs; is this possible w/o Panorama?

Re: GlobalProtect : Need a VPN that separates users into different VLANs; is this possible w/o Panor