GlobalProtect Gateway with Multiple Client Authentication Config

L0 Member

GlobalProtect Gateway with Multiple Client Authentication Config

Hi there,


I have multiple client authentication configurations set up on my GlobalProtect portal which use the same OS type.

Order is as follows:


1 - Windows OS with local auth on the firewall.

2 - Windows OS with LDAP auth.


What i want to achieve is if authentication fails with local auth, it tries LDAP auth and keeps going down the list until it matches.

Both my local auth and LDAP auth profiles work fine, but the first one always takes precedence. It appears that if a config matches and fails, it does not try the next in the list.


I want users who perform local auth to have a different IP range assigned to users that perform LDAP auth.

How could i address this problem, or achieve the desired outcome another way?


Many thanks,

Tags (1)
L7 Applicator

Re: GlobalProtect Gateway with Multiple Client Authentication Config

not sure of your exact config but perhaps try this,,,


only have 1 portal config to 1 gateway  (or multiple gateways)


Then on the gateway under client settings add user groups under different configs to assign different pools.

L0 Member

Re: GlobalProtect Gateway with Multiple Client Authentication Config

I have a similar situation.  I am trying to use two client authentication methods, one SAML (okta) and one regular LDAP.  They both point to different Active Directory groups and the regular ldap is first in order.  I have tested and when GP doesn't see the user in the regular LDAP client I receive error that user is not in allowed list and it stops and does not try the second in the list for locating the user.

L2 Linker

Re: GlobalProtect Gateway with Multiple Client Authentication Config

There is no real benefit for you using multiple client authentication configurations on your GlobalProtect portal.

Create a new authentication sequence with both authentication profiles in the correct order. Then assign this auth sequence to your one and only client authentication configuration.


Under Agent tab you can differentiate between those users and forward each of the user groups to a different gateway with different IP ranges.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!