Global Protect with Active Directory Accounts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect with Active Directory Accounts

Not applicable

Hello all,

I have what might be a simple question. I want to authenticate to Global Protect SSL-VPN using my current Active Directory users. Do I need to have the User ID software installed on a domain server to do this? If thats needed for LDAP can one of the other server types do what I'm looking for with out the software on a server?

I have a PA-500 running 5.0. I have set-up the LDAP "server" and I have the authentication set-up but its still not working.

Also, how can I test if the LDAP connection is working right or not? Is there a test option someplace or something I should look for in the logs? Is there someplace that should display users or groups?

Thanks,

Doug


1 accepted solution

Accepted Solutions

Not applicable

Ok this is working, I found the missing piece in the re-review.

I had to include my new AD members group from User Identification in the Global Protect portal set-up and now its all working!! Now I can jump into deeper testing.

Thanks all.


View solution in original post

5 REPLIES 5

L6 Presenter

Hi,

You can use user-id function agentless system.

Also look at group mapping if you can see all groups or not.if ldap is ok you should see groups.

How did  you configure auht. profile ldap ?

L5 Sessionator

Hi,

Here a doc which can help you: https://live.paloaltonetworks.com/docs/DOC-4332

Just keep in ming that maybe for external access your AD password are not enough strong 🙂

Setup a radius  or new account for vpn can take time but for vpn auth it can be needed.

V.

HI Panos,

I was able to go into group mapping and was able to get into AD and select a user group, so it does look like it can read AD. I went back to the auth profile remove "all" and added the now available AD query. But still no luck. I think I'm going to re-review everything since I've been working at it for awhile I could have the wrong profile or server selected some place.

Vince - is there a password strength check someplace between AD and the Global protect portal? The one I'm testing with right now should be ok, but I know I have users that have not very strong passwords. I guess I was counting on the system just passing the passwords through reguardless of how strong they might be.

Thanks,

Doug


For password strengh, you can configure a minimum password complexity politic in the palo but only local account ... sorry. Else this politic have to be taken in charge by the remote authent server (AD in your case).

V.

Not applicable

Ok this is working, I found the missing piece in the re-review.

I had to include my new AD members group from User Identification in the Global Protect portal set-up and now its all working!! Now I can jump into deeper testing.

Thanks all.


  • 1 accepted solution
  • 2955 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!