I need my client VPN to support different vlans based upon authentication to either Microsoft NPS or LDAP groups.
I want a different vlan/IP assigned to the user depending on which group in Active Directory they are in.
Is this configuration possible without purchasing Panorama?
In the Gateway configuraiton, you can assign the client configuration to apply specifically to a group of users. In the client configuartion, you can choose the IP pool and the access route.
Network > GlobalProtect > Gateways > Agent > Client Settings
User/User Group tab
Specify the user or user group and client operating system to which this agent configuration applies.
Add a specific user or user group to which this configuration applies.
Note: You must configure group mapping (Device > User Identification > Group Mapping Settings) before you can select users and groups.
You can also create configurations that are deployed to agents or apps in pre-logonmode (before the user logs in to the endpoint) or configurations to deploy to anyuser.
Furthermore, when the user connects to GlobalProtect, the firewall will save the user to IP mapping, you can simply configure security policies based on the user group.
I'm not sure how Panorama is relevant here, you can do the above with or without Panorama.
Hope it helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!