This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Restrict VPN access to AD group

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Restrict VPN access to AD group

g_sipp
Not applicable

‎02-06-2012 02:43 PM

Hi,

I want to give a VPN ipsec access to a group of users.

In GlobalProtect Portal | Client Configuration, I set the AD group in Source User.

My problem : all the users in the AD OU have access to the VPN despite they're not in the group.

I must have missed something ...

Someone already had this issue ?

Thanx.

0 Likes Likes
18 REPLIES 18

cnamurdc
L1 Bithead
In response to LCMember2262

‎04-04-2013 03:07 AM

No news about that so far.

We wanted to distinguish the users in order to filter their access to the IT ressources.

So we use a workaround by specifying the user LDAP group directly in the policies.

0 Likes Likes

filipe
Not applicable
In response to cnamurdc

‎04-04-2013 06:18 AM

Hello,

In PanOS 5.0.1 and 5.0.3, I have successfully specified which group has access to GP vpn by setting Client Configuration > User/User Group. Just make sure your group mappings is correctly set.

vpn_user_group.png

Hope it helps.

0 Likes Likes

LCMember2262
L1 Bithead

‎04-04-2013 08:26 PM

okay i found the answer in another post. It wasn't authenticating because the domain was missing in the ldap server profile. It's weird that I can still login when I select any user in the authentication profile, but doesn't work when i narrow down to a single group.

SCoupland
L3 Networker
In response to LCMember2262

‎04-16-2013 04:11 AM

I believe that's because when using a specific group/user it's checking the account against the account on device before passing it to LDAP to check whether the username/password is valid on the LDAP server. When you select all it skips the check and simply passes to the LDAP server. It's always worth tailing the authd.log on the device when troubleshooting authentication profile issues as it will highlight problems such as missing domain names to you.

0 Likes Likes
  • 10425 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks