Today I faced with a problem, I had to add second gorup to my "Athentication Profile" and I can't do that...
Every time when I try to past a "CN=VPN_users,OU=U,OU=Work Groups,OU=Security,OU=Groups,DC=contoso,DC=local" I got it as a user not a group, why?
So finally I added "any" - but in my opinion it's bad idea because I allow all AD users to use GP. Do I am right?
I have dubt, how its working..
Why I have first add a group to Device>User Identyfication>Group Mapping settings?
So where I should leave "all" and where I should filter groups that are allowed for GP?
How (where) to exclude one user from group that is allowed?
1) By setting "all" in the authentication profile you are allowing all users to authenticate using LDAP
meaning: all usernames + passwords will be validated against your LDAP.
This does NOT mean that all users are able to use GlobalProtect, just that the PaloAlto will check if the username+password is correct.
2) Under the portal settings of GlobalProtect / client config / user you can restrict access to GlobalProtect to certain users / user groups.
If you want to use groups in your config, you need to configure a group-mapping (device/userID/group mapping settings).
This will be used by the PaloAlto to search which user belongs to which group.
are You sure? Under portal settings of GlobalProtect / client config / user I can choose from group that I allowed, but there isn't option to exclude one user. I think.
As You can see on the picture above why the second line has "user" sigh not the "group" sign?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!