https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9772#M7168 <HTML><HEAD></HEAD><BODY><P>Hi David</P><P></P><P>802.1x is not supported in GlobalProtect vpn</P><P>You can however leverage user identification to grant users access based on their AD group membership. This will allow you to build security policy based on a source user group (admins/marketing/sales/...) and the GP IP pool towards several resources while blocking unauthorized access to other resources.</P><P></P><P>This can be accomplished by enabling user identification on the inbound zone of GP and configuring an ldap profile plus userID group filter to retrieve group information. These groups can then be used in security policy to limit access for GlobalProtect users.</P><P></P><P>regards</P><P>Tom</P></BODY></HTML> Tue, 08 Jan 2013 11:36:50 GMT reaper 2013-01-08T11:36:50Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9771#M7167 <HTML><HEAD></HEAD><BODY><P>I currently have 802.1x setup on our switches and it works very well for us in our environment. It allows our users to roam around the office and basically plug in wherever they want and they always live on the same VLAN and always have access to the same VLANs. We have many users outside of the office who need access to internal resources while on the go. We want to setup Global Protect to use SSL VPN to accomodate them. I have most of it setup and I can connect to the internal network and the internet just fine. The problem I am having is that I need to come up with a solution that gives GP Client users access to only the networks they should have access to and NOT the entire network. Is there a way for GP Client to authenticate via 802.1x, just as any user would inside the network? If so, how would I go about doing this? If not, are there other options?</P></BODY></HTML> Thu, 03 Jan 2013 15:58:53 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9771#M7167 mario11584 2013-01-03T15:58:53Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9772#M7168 <HTML><HEAD></HEAD><BODY><P>Hi David</P><P></P><P>802.1x is not supported in GlobalProtect vpn</P><P>You can however leverage user identification to grant users access based on their AD group membership. This will allow you to build security policy based on a source user group (admins/marketing/sales/...) and the GP IP pool towards several resources while blocking unauthorized access to other resources.</P><P></P><P>This can be accomplished by enabling user identification on the inbound zone of GP and configuring an ldap profile plus userID group filter to retrieve group information. These groups can then be used in security policy to limit access for GlobalProtect users.</P><P></P><P>regards</P><P>Tom</P></BODY></HTML> Tue, 08 Jan 2013 11:36:50 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9772#M7168 reaper 2013-01-08T11:36:50Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9773#M7169 <HTML><HEAD></HEAD><BODY><P>Tpiens, thank you for your response. User identification is a good idea, however, we are an all Linux environment and we are having troubles coming up with a solid solution implementing it. We are unable to use captive portal options because there isn't anyway our 300+ users would respond well to having to log in via web form. It seems as if for now, we'll have to postpone using GP until we can figure out user identification. Thanks again!</P></BODY></HTML> Tue, 08 Jan 2013 16:07:54 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-ssl-vpn-and-802-1x/m-p/9773#M7169 mario11584 2013-01-08T16:07:54Z