08-30-2018 07:37 AM
We have user accessing the globalprotect VPN using their AD account and we have userid enabled, but we do not see any evidence of the users in the AD domain controller, is that because GP is accessing the DC using a service account? Is there anyway to get the AD accounts to bind on the DC? We need these records for other things
08-31-2018 05:51 AM
That is what it is setup for on the PA but i did not set it up and I have been told that the LDAP is used as a connector to AD. So LDAP connector AD authentication
08-31-2018 06:54 AM
Are you looking for like the 'last logon date' getting updated or something like that? That's not really going to work at all. When you auth with GlobalProtect the firewall is uing the ADs LDAP function to verify that the user and the password is correct; if that comes back as True then you are continue the login process.
Technically when you use LDAP you aren't actually 'logged in' as far as AD is concerned, that's just a function of how LDAP functions. The firewall is simply acting as a 'client' and whatever is hosting your LDAP service is acting as the 'Server'. The client connects to the server and basically asks "does user 'bpry' with password 'PaloAltoFakePass'" exist within the database. If the server responds 'Yup' then it'll let you login, if not then the process won't continue.
08-31-2018 07:06 AM
Correct that is what my colleague is looking to have the last login date updated and there is no other way to do this that would give us that is there.
So LDAP is looking in AD to make sure that the user and password are correct? Is the userid showing up in the traffic logs because userid is enabled or something else?
08-31-2018 07:09 AM
If you login to GlobalProtect the firewall will by default record the source-user, as it verified the user internally and will automatically include this user in the user-id table.
08-31-2018 07:12 AM
Well I guess I am stuck with the way things are, the only users this really applies to are users who are soley using the VPN and never login locally I would say.
08-31-2018 11:33 AM
Ya depending on how you utilize that attribute in AD this can cause some issues going forward; many places will automatically disable accounts that haven't logged-in during a certain timeframe. Your only real option is to simply remind people that they need to login within 'x' days or move away from LDAP as the authentication method for GP.
08-31-2018 11:40 AM
You could run a post GP logon script, they run auto when connected.
perhaps map the users home drive, this will force domain auth in the background, this will be recorded in the AD security log and PA user id will pick this up....
08-31-2018 11:41 AM
That would work if this is a domain joined machine and you actually want to be mapping a drive. My assumption in a university enviroment would be that this is more of an issue with users that are using personal devices or home devices correct @jdprovine?
08-31-2018 11:46 AM
Yeah the real issue is with retirees that need to get on some of our internal site to do healthcare forms etc. so they are no longer using a domain joined pc but a personal one, but it was a good thought mickball
08-31-2018 11:52 AM
Ok gotcha... thanks for the clarifimaca.. claricafatio.... clamicafati..
thanks for letting me know.,!
.
08-31-2018 11:58 AM
LOL you crack me up mickball, I like the clamification of it all
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
