10-10-2016 08:12 AM
Hi,
Can one help me how to configure two groups of people that use GP as a VPN client?
let say I have user 1-5 needs to access my inside firewall with subnet 192.168.1.0/24
and I have users 6-10 needs to access my inside and couple of the IPsec tunnel to reach inside of other firewalls with subnet 192.168.2.0/24
Is there a way to do it by multiple gateways or any other way?
PANOS 7.14h2
GP 3.1.1
no local user database
10-11-2016 01:33 AM - edited 10-11-2016 08:35 AM
Hi Mikelanni,
Yes you can do this by navigating to your GP gateway configuration and in the agent menu:
In the client settings tab you can add a seperate client setting for your different user groups which you can configure them to have different subnets/access routes etc.
hope this helps,
Ben
10-11-2016 07:23 AM
I tried that with LDAP group but never works (no idea why and I don't recall the error i got it from GP client need to test again and check what was the error) looks it not get the users from the group.
also do you give VPN users same subnet to your inside networks? as I always give them another subnet
10-11-2016 08:11 AM
Hi Mikealanni,
In that case it would be worth taking a look at your group mapping settings and making sure your users are mapped to the groups correctly.
The configuration info on group mapping can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/map-users-to-groups#74222
Additionally there is a nice guide on how to troubleshoot the various aspects of user-id here, you would need to use the CLI to check what users are mapped to which groups:
CLI command to show user and their group mapping info:
> show user user-ids
Filter it down to a single user:
> show user user-ids match-user (user name)
Actually you would want your GP VPN users in seperate subnets as the local network to avoid any layer 2 issues, the screenshot was a bit hurried by me. I will modify it 🙂
hope this helps,
Ben
10-11-2016 08:30 AM - edited 10-11-2016 09:22 AM
Firewall group working and I can see my users ( show user user-ids) in format
domain\first.last
if I used that format in GP client I got error authentication failed but If I use first.last format only I got assign private ip failed
here is what it showing in my group map
domain\mike.alani vsys1 cn=vpnadmin,ou=groups,ou=XXX,ou=services,ou=xxxx,dc=domain,dc=xxx,dc=xxx
just changed couple info with xxx
Here is so far what I've found
if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect
if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed
if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed
if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed
if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed
10-11-2016 09:21 AM - edited 10-11-2016 09:23 AM
Hi Mikelanni,
My advice would be to follow these steps in the troubleshooting guide for the private IP address assign issue:
Check if the IP address pool has enough IPs
Check if the IP pool does not overlaps with the IP of the Client PC.
Check if the User Group used in Global Protect -> gateway -> Client Configuration -> Network Setting is properly included in the Group Mappings on the firewall and firewall is able to fetch the group from the AD server.
Check if the user belongs to the correct group as mentioned in the Network Settings of Client Configuration under GP gateway.
https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-GlobalProtect/ta-p/75770
Additionally check the 'remote users' part in the info section of the GP gateways and disconnect any existing sessions from your user that you may have.
Your authentication profile is likely set up to include the domain field during authentication, so that is why the format 'domain\first.last' is failing when you try this as the firewall would see it as 'domain\domain\first.last'
If you still have trouble after trying this then it would need a deeper look so might be worth raising a support ticket.
hope this helps,
Ben
10-11-2016 09:30 AM
Here is so far what I've found
if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect
if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed
if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed
if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed
if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed
10-13-2016 10:17 AM
found what was the error
I tried couple users with their machines and it was working but my desktop was not then I figured out that when I capitalize my first letter from mike to Mike that made the GP connect and no error.
The weird thing is when I use mike in another laptop it is working 🙂
10-20-2016 01:55 PM
ok, solve this issue
first I figured that my desktop if I use mike.alani it will not match the LDAP group but If I used Mike.alani then it will match (other computers have not face this issue)
upgrading the firewall to 7.1.5 solve the issue with my desktop!!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
