02-06-2012 02:43 PM
I want to give a VPN ipsec access to a group of users.
In GlobalProtect Portal | Client Configuration, I set the AD group in Source User.
My problem : all the users in the AD OU have access to the VPN despite they're not in the group.
I must have missed something ...
Someone already had this issue ?
04-04-2013 03:07 AM
No news about that so far.
We wanted to distinguish the users in order to filter their access to the IT ressources.
So we use a workaround by specifying the user LDAP group directly in the policies.
04-04-2013 06:18 AM
In PanOS 5.0.1 and 5.0.3, I have successfully specified which group has access to GP vpn by setting Client Configuration > User/User Group. Just make sure your group mappings is correctly set.
Hope it helps.
04-04-2013 08:26 PM
okay i found the answer in another post. It wasn't authenticating because the domain was missing in the ldap server profile. It's weird that I can still login when I select any user in the authentication profile, but doesn't work when i narrow down to a single group.
04-16-2013 04:11 AM
I believe that's because when using a specific group/user it's checking the account against the account on device before passing it to LDAP to check whether the username/password is valid on the LDAP server. When you select all it skips the check and simply passes to the LDAP server. It's always worth tailing the authd.log on the device when troubleshooting authentication profile issues as it will highlight problems such as missing domain names to you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!