Binding to AD with globalprotect

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
jdprovine
L4 Transporter

Binding to AD with globalprotect

We have user accessing the globalprotect VPN using their AD account and we have userid enabled, but we do not see any evidence of the users in the AD domain controller, is that because GP is accessing the DC using a service account? Is there anyway to get the AD accounts to bind on the DC? We need these records for other things

MickBall
L7 Applicator

What authentication are you using... is it ldap?

jdprovine
L4 Transporter

@MickBall

That is what it is setup for on the PA but i did not set it up and I have been told that the LDAP is used as a connector to AD. So LDAP connector AD authentication

BPry
Cyber Elite

@jdprovine,

Are you looking for like the 'last logon date' getting updated or something like that? That's not really going to work at all. When you auth with GlobalProtect the firewall is uing the ADs LDAP function to verify that the user and the password is correct; if that comes back as True then you are continue the login process. 

Technically when you use LDAP you aren't actually 'logged in' as far as AD is concerned, that's just a function of how LDAP functions. The firewall is simply acting as a 'client' and whatever is hosting your LDAP service is acting as the 'Server'. The client connects to the server and basically asks "does user 'bpry' with password 'PaloAltoFakePass'" exist within the database. If the server responds 'Yup' then it'll let you login, if not then the process won't continue. 

jdprovine
L4 Transporter

@BPry

Correct that is what my colleague is  looking to have the last login date updated and there is no other way to do this that would give us that is there. 

So LDAP is looking in AD to make sure that the user and password are correct? Is the userid showing up in the traffic logs because userid is enabled or something else?

BPry
Cyber Elite

@jdprovine,

If you login to GlobalProtect the firewall will by default record the source-user, as it verified the user internally and will automatically include this user in the user-id table. 

jdprovine
L4 Transporter

@BPry

Well I guess I am stuck with the way things are, the only users this really applies to are users who are soley using the VPN and never login locally I would say. 

BPry
Cyber Elite

@jdprovine

Ya depending on how you utilize that attribute in AD this can cause some issues going forward; many places will automatically disable accounts that haven't logged-in during a certain timeframe. Your only real option is to simply remind people that they need to login within 'x' days or move away from LDAP as the authentication method for GP. 

MickBall
L7 Applicator

You could run a post GP logon script, they run auto when connected.

perhaps map the users home drive, this will force domain auth in the background, this will be recorded in the AD security log  and PA user id will pick this up....

BPry
Cyber Elite

@MickBall,

That would work if this is a domain joined machine and you actually want to be mapping a drive. My assumption in a university enviroment would be that this is more of an issue with users that are using personal devices or home devices correct @jdprovine

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!