topic Re: GlobalProtect and AD group restriction in General Topics

GlobalProtect and AD group restriction

fcremer — Tue, 06 Dec 2011 16:42:09 GMT

Hi,

I'm setting up GlobalProtect, which works just fine. Now I want to restrict GlobalProtect access to only 1 AD group. I created a separate GP authentication profile with my ssl_vpn AD group in the allow list, but as soon as I commit that allow list, not a single user can log in to the GlobalProtect anymore.

Is this the correct way to configure this? I also tried configuring the AD group as source user on the GlobalProtect portal definition, but that didn't help either.

I'm suspecting that there is a problem with the retrieval of the groups and the group membership from the AD server. We added the AD group to the AD after configuring the AD server definition in the PAN firewall, after which we couldn't see it in the web interface listed in the available AD groups. However, in CLI the "show user group-mapping state <domain>" showed the group, so it seemed to be retrieved by the PAN. We configured the GlobalProtect settings via CLI, since the group was not visible in the web interface.

Could this be related? Any other way to get more information about the available groups on the device?

Edit: PA-2050 cluster, running 4.1.0, group mapping is configured on the firewall.

Re: GlobalProtect and AD group restriction

snaft — Thu, 15 Dec 2011 21:03:59 GMT

I am having a similar issue.

PA guys, any hints? Is this a bug in 4.1?

Re: GlobalProtect and AD group restriction

OCDBE — Thu, 15 Dec 2011 21:56:11 GMT

Same issue exists here..

Re: GlobalProtect and AD group restriction

LCMember2262 — Thu, 04 Apr 2013 09:43:27 GMT

bump.. trying to figure this out as well. two years later and documentation to complete such simple task is horrible.

Re: GlobalProtect and AD group restriction

filipe — Thu, 04 Apr 2013 13:30:51 GMT

Hello Tmasuda,

I believe there was a bug regarding this issue but it has since been fixed.

You can try to restrict access to a specific group by going to Global Protect Portal > Client Configuration > User/User Group, find the desired group to which you want to grant access for that specific configuration profile. The image below illustrates the path:

I have tested successfully in PanOS 5.0.1 and 5.0.3.

Hope it helps.

Re: GlobalProtect and AD group restriction

LCMember2262 — Fri, 05 Apr 2013 03:23:05 GMT

i found another post with the answer. You need to fill the domain under ldap server profile.

Re: GlobalProtect and AD group restriction

RamonWeldam — Tue, 04 Jun 2013 12:15:21 GMT

Thanks for this but I doubt this is the best practice. Personally I've configured an authentication sequence like PA recommended. First Kerberos, then Radius and then local. So I'd assume I should be able to retrieve a user/group list from Kerberos (and Radius) to specify the allow list there, not in the GP Portal config. Else, if Kerberos fails, wouldn't users authenticate with Radius and get access anyway? Or is it most restrictive, e.g.. if Kerberos fails it won't allow access? Then there's no proper auth sequence.

Re: GlobalProtect and AD group restriction

RamonWeldam — Tue, 09 Jul 2013 11:38:17 GMT

According to PAN, an authentication sequence is NOT recommended because of the reasons described earlier. It needs to be consistent so just one auth server should be chosen. One thing that confused me is that authentication and authorization appear to be the same in a PAN context: if you can't authenticate yuou are not authorized either. When you are authenticated, you are authorized too. In other words, all is done in the authentication section, there's no separate section for authorization in PANOS5.

Re: GlobalProtect and AD group restriction

djh3003 — Mon, 27 Nov 2017 05:46:57 GMT

is there a way to restrict users even installing GlobalProtect unless they are on a domain joined computer - ie. stopping users from installing it on their home computers ?

Re: GlobalProtect and AD group restriction

pulukas — Sun, 03 Dec 2017 13:02:13 GMT

You could use AD to install domain certificates on your own assets. Then use the presence of the valid certificate as a second factor in the Global protect authorization.

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-globalprotect-user-authentication/set-up-two-factor-authentication/enable-two-factor-authentication-using-certificate-and-authentication-profiles