06-12-2013 06:50 AM
Hello all,
I have what might be a simple question. I want to authenticate to Global Protect SSL-VPN using my current Active Directory users. Do I need to have the User ID software installed on a domain server to do this? If thats needed for LDAP can one of the other server types do what I'm looking for with out the software on a server?
I have a PA-500 running 5.0. I have set-up the LDAP "server" and I have the authentication set-up but its still not working.
Also, how can I test if the LDAP connection is working right or not? Is there a test option someplace or something I should look for in the logs? Is there someplace that should display users or groups?
Thanks,
Doug
06-12-2013 07:52 AM
Ok this is working, I found the missing piece in the re-review.
I had to include my new AD members group from User Identification in the Global Protect portal set-up and now its all working!! Now I can jump into deeper testing.
Thanks all.
06-12-2013 06:56 AM
Hi,
You can use user-id function agentless system.
Also look at group mapping if you can see all groups or not.if ldap is ok you should see groups.
How did you configure auht. profile ldap ?
06-12-2013 07:07 AM
Hi,
Here a doc which can help you: https://live.paloaltonetworks.com/docs/DOC-4332
Just keep in ming that maybe for external access your AD password are not enough strong 🙂
Setup a radius or new account for vpn can take time but for vpn auth it can be needed.
V.
06-12-2013 07:36 AM
HI Panos,
I was able to go into group mapping and was able to get into AD and select a user group, so it does look like it can read AD. I went back to the auth profile remove "all" and added the now available AD query. But still no luck. I think I'm going to re-review everything since I've been working at it for awhile I could have the wrong profile or server selected some place.
Vince - is there a password strength check someplace between AD and the Global protect portal? The one I'm testing with right now should be ok, but I know I have users that have not very strong passwords. I guess I was counting on the system just passing the passwords through reguardless of how strong they might be.
Thanks,
Doug
06-12-2013 07:45 AM
For password strengh, you can configure a minimum password complexity politic in the palo but only local account ... sorry. Else this politic have to be taken in charge by the remote authent server (AD in your case).
V.
06-12-2013 07:52 AM
Ok this is working, I found the missing piece in the re-review.
I had to include my new AD members group from User Identification in the Global Protect portal set-up and now its all working!! Now I can jump into deeper testing.
Thanks all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
