topic Re: Binding to AD with globalprotect in General Topics

Binding to AD with globalprotect

jdprovine — Thu, 30 Aug 2018 14:37:42 GMT

We have user accessing the globalprotect VPN using their AD account and we have userid enabled, but we do not see any evidence of the users in the AD domain controller, is that because GP is accessing the DC using a service account? Is there anyway to get the AD accounts to bind on the DC? We need these records for other things

Re: Binding to AD with globalprotect

Mick_Ball — Thu, 30 Aug 2018 19:39:25 GMT

What authentication are you using... is it ldap?

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 12:51:37 GMT

@Mick_Ball

That is what it is setup for on the PA but i did not set it up and I have been told that the LDAP is used as a connector to AD. So LDAP connector AD authentication

Re: Binding to AD with globalprotect

BPry — Fri, 31 Aug 2018 13:54:20 GMT

@jdprovine,

Are you looking for like the 'last logon date' getting updated or something like that? That's not really going to work at all. When you auth with GlobalProtect the firewall is uing the ADs LDAP function to verify that the user and the password is correct; if that comes back as True then you are continue the login process.

Technically when you use LDAP you aren't actually 'logged in' as far as AD is concerned, that's just a function of how LDAP functions. The firewall is simply acting as a 'client' and whatever is hosting your LDAP service is acting as the 'Server'. The client connects to the server and basically asks "does user 'bpry' with password 'PaloAltoFakePass'" exist within the database. If the server responds 'Yup' then it'll let you login, if not then the process won't continue.

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 14:06:01 GMT

@BPry

Correct that is what my colleague is looking to have the last login date updated and there is no other way to do this that would give us that is there.

So LDAP is looking in AD to make sure that the user and password are correct? Is the userid showing up in the traffic logs because userid is enabled or something else?

Re: Binding to AD with globalprotect

BPry — Fri, 31 Aug 2018 14:09:26 GMT

@jdprovine,

If you login to GlobalProtect the firewall will by default record the source-user, as it verified the user internally and will automatically include this user in the user-id table.

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 14:12:19 GMT

@BPry

Well I guess I am stuck with the way things are, the only users this really applies to are users who are soley using the VPN and never login locally I would say.

Re: Binding to AD with globalprotect

BPry — Fri, 31 Aug 2018 18:33:07 GMT

@jdprovine

Ya depending on how you utilize that attribute in AD this can cause some issues going forward; many places will automatically disable accounts that haven't logged-in during a certain timeframe. Your only real option is to simply remind people that they need to login within 'x' days or move away from LDAP as the authentication method for GP.

Re: Binding to AD with globalprotect

Mick_Ball — Fri, 31 Aug 2018 18:40:00 GMT

You could run a post GP logon script, they run auto when connected.

perhaps map the users home drive, this will force domain auth in the background, this will be recorded in the AD security log and PA user id will pick this up....

Re: Binding to AD with globalprotect

BPry — Fri, 31 Aug 2018 18:41:15 GMT

@Mick_Ball,

That would work if this is a domain joined machine and you actually want to be mapping a drive. My assumption in a university enviroment would be that this is more of an issue with users that are using personal devices or home devices correct @jdprovine?

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 18:46:01 GMT

@Mick_Ball @BPry

Yeah the real issue is with retirees that need to get on some of our internal site to do healthcare forms etc. so they are no longer using a domain joined pc but a personal one, but it was a good thought mickball

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 18:46:58 GMT

@BPry @Mick_Ball

Yes you are correct @BPry

Re: Binding to AD with globalprotect

Mick_Ball — Fri, 31 Aug 2018 18:52:46 GMT

Ok gotcha... thanks for the clarifimaca.. claricafatio.... clamicafati..

thanks for letting me know.,!

Re: Binding to AD with globalprotect

jdprovine — Fri, 31 Aug 2018 18:58:17 GMT

@Mick_Ball

LOL you crack me up mickball, I like the clamification of it all