I am have an issue with the allow list on the Authentication Profile. Up until yesterday I had an AD group name which pointer to the highest level of our tree and SSL-VPN users were not able to login, the message they got was "Invalid UserID and/or Password" I changed the allow list to "all" and now everything works, but I would like to know why I can't use a group in the allow list. These were all AD users in this group and we also have an administrators account set-up which would not use the Group "Local Users" in the allow list, so we had to insert individual users to the allow list or "All" and it works.
So to summarize, we are not able to use Groups in the allow list but we can use "all" or individual users.
You are correct. We do not support the use of groups for Authentication Profiles using LDAP. The best option is to use RADIUS and all users. Our LDAP implementating is somewhat simple. If you create a user ID we can then use the credentials provided by the user to loginto ldap and confirm the password and user name. But this does not scale well.
Well, there are some things you could try with RADIUS for the administrators. If you have your PAN-device admins in a AD-group you could have that group in a Network Policy server/IAS-authentication profile. That should take care of the Administrators, You can even utilize the vendor-specific attributes to give your admins the right privileges! It's a bit crude, but it works.
When it comes to the your SSLVPN users. How have you set up Authentication ? LDAP, RADIUS? If LDAP, do you filter out the groups?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!