We have user accessing the globalprotect VPN using their AD account and we have userid enabled, but we do not see any evidence of the users in the AD domain controller, is that because GP is accessing the DC using a service account? Is there anyway to get the AD accounts to bind on the DC? We need these records for other things
Are you looking for like the 'last logon date' getting updated or something like that? That's not really going to work at all. When you auth with GlobalProtect the firewall is uing the ADs LDAP function to verify that the user and the password is correct; if that comes back as True then you are continue the login process.
Technically when you use LDAP you aren't actually 'logged in' as far as AD is concerned, that's just a function of how LDAP functions. The firewall is simply acting as a 'client' and whatever is hosting your LDAP service is acting as the 'Server'. The client connects to the server and basically asks "does user 'bpry' with password 'PaloAltoFakePass'" exist within the database. If the server responds 'Yup' then it'll let you login, if not then the process won't continue.
Correct that is what my colleague is looking to have the last login date updated and there is no other way to do this that would give us that is there.
So LDAP is looking in AD to make sure that the user and password are correct? Is the userid showing up in the traffic logs because userid is enabled or something else?
Ya depending on how you utilize that attribute in AD this can cause some issues going forward; many places will automatically disable accounts that haven't logged-in during a certain timeframe. Your only real option is to simply remind people that they need to login within 'x' days or move away from LDAP as the authentication method for GP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!