topic Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP in General Topics

More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NPS

kdingwall — Tue, 06 Dec 2016 16:29:02 GMT

We are hosting 4 clients with each having their own server. I have setup 4 separate GlobalProtect Gateways and Portals for each client with access only to their server. I have configured Radius and tested it.

I want to be able have one different Active Directory group for each client and have the users that are in the respective groups only have access to their GlobalProtect Portal.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

BPry — Tue, 06 Dec 2016 18:20:19 GMT

If you only have one Active Directory server for all of these users then it would probably be best to simply change the user groups allowed to login on your GP portal configuration; that would allow you to have a 'client1' group with all of those users assigned and so on for all 4 on the 4 different portals and the other users would not be allowed.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

kdingwall — Wed, 07 Dec 2016 13:51:44 GMT

I want the users in the client1 group to be only able to connect to their client portal and not be able to use the portals for client2, 3 or 4. I think that I am going try to setup 4 different profiles running differnet ports then 1812 for each group.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

BPry — Wed, 07 Dec 2016 14:06:36 GMT

So if I understand this correctly you want to limit it so that client1 isn't even able to see the portal for client2 and so on; and not only having client1 not being able to login?

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

kdingwall — Wed, 07 Dec 2016 16:15:21 GMT

I have 4 GlobalProtect Gateways and Portals on different IP address and different FQDNs (client1.domain.com, client2.domain.com, client3.domain.com, client4.domain.com). They are all set to split tunneling and each is limited to accessing only their own server on my network.

I have Radius setup and working. Right now all VPN users for all clients are in one Domain VPN group and can logon to all 4 VPN Portals. I want to have 4 separate Domain VPN groups (One for each client) and have someone in the client1vpn Domain group only be able to connect to the client1.domain.com VPN and someone in the client2vpn Domain group only be able to connect to the client2.domain.com VPN.

These servers have HIPPA data on them and no client is to have access to another client's data. Users from one client cannot logon to another client's server, but my supervisors do not want to be able to connect to another client's VPN.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

BPry — Wed, 07 Dec 2016 17:12:38 GMT

You can easily just seperate out who is allowed to login to which portal as already stated. Since you are limiting the connections to client1.domain.com to the client1 IP addresses there is no reason to change ports or anything like that.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

kdingwall — Wed, 07 Dec 2016 20:14:54 GMT

Maybe I am not being clear. I do not want someone that is in the client1 domain group to only be able to authenticate to the the client1 portal.

With radius there does not seem to be a way to do this.

I am now trying with LDAP.

I am now running into another issue.

If I select a specific domain group in the Authentication Profile, I get an Authentication Failed on the client.

If I select All in the Authentication Profile, it works.

So I am back to square one again.

Re: More than one Radius Connection Profile for GlobalProtect on PAN-OS 7.1.0 and Windows 2012 R2 NP

kdingwall — Wed, 14 Dec 2016 15:20:08 GMT

The LDAP issue was solved by manually typing in the word none in the Username Modifier field.