12-06-2016 08:29 AM
We are hosting 4 clients with each having their own server. I have setup 4 separate GlobalProtect Gateways and Portals for each client with access only to their server. I have configured Radius and tested it.
I want to be able have one different Active Directory group for each client and have the users that are in the respective groups only have access to their GlobalProtect Portal.
12-08-2016 09:10 AM - edited 12-14-2016 07:20 AM
The LDAP issue was solved by manually typing in the word none in the Username Modifier field.
12-06-2016 10:20 AM
If you only have one Active Directory server for all of these users then it would probably be best to simply change the user groups allowed to login on your GP portal configuration; that would allow you to have a 'client1' group with all of those users assigned and so on for all 4 on the 4 different portals and the other users would not be allowed.
12-07-2016 05:51 AM
I want the users in the client1 group to be only able to connect to their client portal and not be able to use the portals for client2, 3 or 4. I think that I am going try to setup 4 different profiles running differnet ports then 1812 for each group.
12-07-2016 06:06 AM
So if I understand this correctly you want to limit it so that client1 isn't even able to see the portal for client2 and so on; and not only having client1 not being able to login?
12-07-2016 08:15 AM
I have 4 GlobalProtect Gateways and Portals on different IP address and different FQDNs (client1.domain.com, client2.domain.com, client3.domain.com, client4.domain.com). They are all set to split tunneling and each is limited to accessing only their own server on my network.
I have Radius setup and working. Right now all VPN users for all clients are in one Domain VPN group and can logon to all 4 VPN Portals. I want to have 4 separate Domain VPN groups (One for each client) and have someone in the client1vpn Domain group only be able to connect to the client1.domain.com VPN and someone in the client2vpn Domain group only be able to connect to the client2.domain.com VPN.
These servers have HIPPA data on them and no client is to have access to another client's data. Users from one client cannot logon to another client's server, but my supervisors do not want to be able to connect to another client's VPN.
12-07-2016 09:12 AM
You can easily just seperate out who is allowed to login to which portal as already stated. Since you are limiting the connections to client1.domain.com to the client1 IP addresses there is no reason to change ports or anything like that.
12-07-2016 12:14 PM
Maybe I am not being clear. I do not want someone that is in the client1 domain group to only be able to authenticate to the the client1 portal.
With radius there does not seem to be a way to do this.
I am now trying with LDAP.
I am now running into another issue.
If I select a specific domain group in the Authentication Profile, I get an Authentication Failed on the client.
If I select All in the Authentication Profile, it works.
So I am back to square one again.
12-08-2016 09:10 AM - edited 12-14-2016 07:20 AM
The LDAP issue was solved by manually typing in the word none in the Username Modifier field.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
