Restrict VPN access to AD group

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Restrict VPN access to AD group

Not applicable


I want to give a VPN ipsec access to a group of users.

In GlobalProtect Portal | Client Configuration, I set the AD group in Source User.

My problem : all the users in the AD OU have access to the VPN despite they're not in the group.

I must have missed something ...

Someone already had this issue ?



No news about that so far.

We wanted to distinguish the users in order to filter their access to the IT ressources.

So we use a workaround by specifying the user LDAP group directly in the policies.


In PanOS 5.0.1 and 5.0.3, I have successfully specified which group has access to GP vpn by setting Client Configuration > User/User Group. Just make sure your group mappings is correctly set.


Hope it helps.

L1 Bithead

okay i found the answer in another post. It wasn't authenticating because the domain was missing in the ldap server profile. It's weird that I can still login when I select any user in the authentication profile, but doesn't work when i narrow down to a single group.

I believe that's because when using a specific group/user it's checking the account against the account on device before passing it to LDAP to check whether the username/password is valid on the LDAP server. When you select all it skips the check and simply passes to the LDAP server. It's always worth tailing the authd.log on the device when troubleshooting authentication profile issues as it will highlight problems such as missing domain names to you.

  • 18 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!