I'm setting up GlobalProtect, which works just fine. Now I want to restrict GlobalProtect access to only 1 AD group. I created a separate GP authentication profile with my ssl_vpn AD group in the allow list, but as soon as I commit that allow list, not a single user can log in to the GlobalProtect anymore.
Is this the correct way to configure this? I also tried configuring the AD group as source user on the GlobalProtect portal definition, but that didn't help either.
I'm suspecting that there is a problem with the retrieval of the groups and the group membership from the AD server. We added the AD group to the AD after configuring the AD server definition in the PAN firewall, after which we couldn't see it in the web interface listed in the available AD groups. However, in CLI the "show user group-mapping state <domain>" showed the group, so it seemed to be retrieved by the PAN. We configured the GlobalProtect settings via CLI, since the group was not visible in the web interface.
Could this be related? Any other way to get more information about the available groups on the device?
Edit: PA-2050 cluster, running 4.1.0, group mapping is configured on the firewall.
I believe there was a bug regarding this issue but it has since been fixed.
You can try to restrict access to a specific group by going to Global Protect Portal > Client Configuration > User/User Group, find the desired group to which you want to grant access for that specific configuration profile. The image below illustrates the path:
I have tested successfully in PanOS 5.0.1 and 5.0.3.
Hope it helps.
Thanks for this but I doubt this is the best practice. Personally I've configured an authentication sequence like PA recommended. First Kerberos, then Radius and then local. So I'd assume I should be able to retrieve a user/group list from Kerberos (and Radius) to specify the allow list there, not in the GP Portal config. Else, if Kerberos fails, wouldn't users authenticate with Radius and get access anyway? Or is it most restrictive, e.g.. if Kerberos fails it won't allow access? Then there's no proper auth sequence.
According to PAN, an authentication sequence is NOT recommended because of the reasons described earlier. It needs to be consistent so just one auth server should be chosen. One thing that confused me is that authentication and authorization appear to be the same in a PAN context: if you can't authenticate yuou are not authorized either. When you are authenticated, you are authorized too. In other words, all is done in the authentication section, there's no separate section for authorization in PANOS5.
You could use AD to install domain certificates on your own assets. Then use the presence of the valid certificate as a second factor in the Global protect authorization.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!