Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LDAP Authentication for Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAP Authentication for Global Protect

L4 Transporter

I am new to LDAP so I'm looking for some help. I have Global Protect setup to authenticate via LDAP using the following:

base: ou=People,dc=company,dc=com

bind DN: uid=fs01,ou=Special Users,dc=company,dc=com

This works. I've confirmed via the system logs.

I'd like to have the PA firewall authenticate ONLY users within a specific LDAP group:

dn: cn=vpn,ou=Groups,dc=company,dc=com

I've played around with group mappings under user identification but I honestly don't know what I am doing or what the fields are asking for and I can't find any documentation that provides any examples.

Any ideas or thoughts are appreciated.

10 REPLIES 10

L6 Presenter

Hi,

In group mapping settings try to add some groups which you'll write security rules or etc. to the right panel of this screen.

After commit look for the security rule, users tab.Try to navigate users and look if the groups which you've selected will come or not

if you see the group no problem.Go through Auth. profile(LDAP server is selected inside this) and select the group you want to allow inside the profile.

Then you can use this profile for Global protect portal and gateway.

L4 Transporter

Hi,

find in the attachment some screenshots. It should work with this configuration...

Hmmm....that didn't seem to do the trick. I don't have a Windows environment, it's just Linux using 386 LDAP. Do I have to have a log in attribute under the authentication profile, or is the sAMAccountName attribute for only Active Directory?

I should probably add my screenshots to show you what I have.

Sorry, i'm not familar with linux...But...

In your LDAP Server Profile: Try it with your domain name! For example (how it is in my configuration): your domain is mydomain.net -> MyDomain should be the entry. And check the System logs.

(...Also to verify/test your LDAP Profile you can add an administrator account with your LDAP profile(be carefull with capital and lower case username)...)

Thanks for your help with this. I'll try putting in a domain, but our network doesn't live on a domain. This seems to always throw PA support a curve ball when working on issues like this. We don't have a single windows server anywhere in any of our offices. Not my idea, but it is what it is. Smiley Happy

Adding the domain didn't do the trick.

Try changing your base to just  "dc=company,dc=com" so your search covers both People and Groups. Groups and People are at the same level based on your notes so setting the base to People you can't find the groups in your query.

Restriction to the group you want to use is based on the "Allow list" entry in your Authentication Profile - just like you have it.

Not sure if your login attribute should be sAMAccountName or uid though.  Depends on what designates the user logon id in your ldap setup.

I gave it a try with just "dc=company,dc=com" and with both login attributes of sAMAccountName and uid, and neither worked. I might just create a new user and test with that. Maybe it's something stupid like a bad password or something (which I have already tried but I'll give it another whirl).

When I try to log in the system logs show the authentication fails because the user is not in the allow list. Does that indicate LDAP is searching the vpn group or is that just a generic LDAP authentication failure message?

Not really sure which logs you are looking at - PAN or LDAP.  If the error is in the PAN logs it is not liking the allow entry for the group.

I found this article but not sure it will help:  https://live.paloaltonetworks.com/message/18184#18184

Other than that I would try a basic ldap browse/query tool to test the lookup of the user in the specified group or open a ticket with PAN and let them take a look.

Sorry,

Steve

  • 19700 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!