Global Protect SSL VPN and 802.1x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect SSL VPN and 802.1x

L4 Transporter

I currently have 802.1x setup on our switches and it works very well for us in our environment. It allows our users to roam around the office and basically plug in wherever they want and they always live on the same VLAN and always have access to the same VLANs. We have many users outside of the office who need access to internal resources while on the go. We want to setup Global Protect to use SSL VPN to accomodate them. I have most of it setup and I can connect to the internal network and the internet just fine. The problem I am having is that I need to come up with a solution that gives GP Client users access to only the networks they should have access to and NOT the entire network. Is there a way for GP Client to authenticate via 802.1x, just as any user would inside the network? If so, how would I go about doing this? If not, are there other options?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi David

802.1x is not supported in GlobalProtect vpn

You can however leverage user identification to grant users access based on their AD group membership. This will allow you to build security policy based on a source user group (admins/marketing/sales/...) and the GP IP pool towards several resources while blocking unauthorized access to other resources.

This can be accomplished by enabling user identification on the inbound zone of GP and configuring an ldap profile plus userID group filter to retrieve group information. These groups can then be used in security policy to limit access for GlobalProtect users.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi David

802.1x is not supported in GlobalProtect vpn

You can however leverage user identification to grant users access based on their AD group membership. This will allow you to build security policy based on a source user group (admins/marketing/sales/...) and the GP IP pool towards several resources while blocking unauthorized access to other resources.

This can be accomplished by enabling user identification on the inbound zone of GP and configuring an ldap profile plus userID group filter to retrieve group information. These groups can then be used in security policy to limit access for GlobalProtect users.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Tpiens, thank you for your response. User identification is a good idea, however, we are an all Linux environment and we are having troubles coming up with a solid solution implementing it. We are unable to use captive portal options because there isn't anyway our 300+ users would respond well to having to log in via web form. It seems as if for now, we'll have to postpone using GP until we can figure out user identification. Thanks again!

  • 1 accepted solution
  • 3640 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!