Two Subnets For Two Group Of People

Reply
Highlighted
L2 Linker

Two Subnets For Two Group Of People

Hi,

Can one help me how to configure two groups of people that use GP as a VPN client?

let say I have user 1-5 needs to access my inside firewall with subnet 192.168.1.0/24

and I have users 6-10 needs to access my inside and couple of the IPsec tunnel to reach  inside of other firewalls with subnet 192.168.2.0/24 

 

Is there a way to do it by multiple gateways or any other way?

 

PANOS 7.14h2

GP 3.1.1

no local user database

Tags (2)
Highlighted
L4 Transporter

Re: Two Subnets For Two Group Of People

Hi Mikelanni,

 

Yes you can do this by navigating to your GP gateway configuration and in the agent menu:

Screenshot_9.png

In the client settings tab you can add a seperate client setting for your different user groups which you can configure them to have different subnets/access routes etc.

 

hope this helps,

Ben

Highlighted
L2 Linker

Re: Two Subnets For Two Group Of People

I tried that with LDAP group but never works (no idea why and I don't recall the error i got it from GP client need to test again and check what was the error) looks it not get the users from the group. 

also do you give VPN users same subnet to your inside networks? as I always give them another subnet

Highlighted
L4 Transporter

Re: Two Subnets For Two Group Of People

Hi Mikealanni,

 

In that case it would be worth taking a look at your group mapping settings and making sure your users are mapped to the groups correctly.

 

The configuration info on group mapping can be found here:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/map-users-to-groups#74222

 

Additionally there is a nice guide on how to troubleshoot the various aspects of user-id here, you would need to use the CLI to check what users are mapped to which groups:

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-User-ID-Group-and-User-to-I...

 

CLI command to show user and their group mapping info:

 

> show user user-ids 

 

Filter it down to a single user:

 

> show user user-ids match-user (user name)

 

 

 

Actually you would want your GP VPN users in seperate subnets as the local network to avoid any layer 2 issues, the screenshot was a bit hurried by me. I will modify it :)

 

hope this helps,

Ben

Highlighted
L2 Linker

Re: Two Subnets For Two Group Of People

Firewall group working and I can see my users ( show user user-ids) in format 

 

domain\first.last

 

if I used that format in GP client I got error authentication failed but If I use first.last format only I got assign private ip failed

 

 

here is what it showing in my group map

 

domain\mike.alani vsys1 cn=vpnadmin,ou=groups,ou=XXX,ou=services,ou=xxxx,dc=domain,dc=xxx,dc=xxx

 

just changed couple info with xxx

 

 

 

Here is so far what I've found

if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect

if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed

if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed

 

 

 

 

 

Highlighted
L4 Transporter

Re: Two Subnets For Two Group Of People

Hi Mikelanni,

 

My advice would be to follow these steps in the troubleshooting guide for the private IP address assign issue:

 

Check if the IP address pool has enough IPs
Check if the IP pool does not overlaps with the IP of the Client PC.
Check if the User Group used in Global Protect -> gateway -> Client Configuration -> Network Setting is properly included in the Group Mappings on the firewall and firewall is able to fetch the group from the AD server.
Check if the user belongs to the correct group as mentioned in the Network Settings of Client Configuration under GP gateway.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Troubleshooting-GlobalProtect/ta-p/75770

 

Additionally check the 'remote users' part in the info section of the GP gateways and disconnect any existing sessions from your user that you may have.

 

Your authentication profile is likely set up to include the domain field during authentication, so that is why the format 'domain\first.last' is failing when you try this as the firewall would see it as 'domain\domain\first.last'

 

If you still have trouble after trying this then it would need a deeper look so might be worth raising a support ticket.

 

hope this helps,

Ben

Highlighted
L2 Linker

Re: Two Subnets For Two Group Of People

Here is so far what I've found

if I configure my GP client setting with first.last and the GP VPN client as first.last then it will connect

if I configure my GP client setting with domain\first.last (as Palo alto drop list showing) and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with domain\first.last and the GP client as domain\first.last then it will not connect and give me error authentication failed

if I configure my GP client setting with group and the GP client as first.last then it will not connect and give me error assign private IP failed

if I configure my GP client setting with group and the GP client as domain\first.last then it will not connect and give me error assign private IP failed

Highlighted
L2 Linker

Re: Two Subnets For Two Group Of People

found what was the error

 

I tried couple users with their machines and it was working but my desktop was not then I figured out that when I capitalize my first letter from mike to Mike that made the GP connect and no error.

The  weird thing is when I use mike in another laptop it is working :)  

Highlighted
L2 Linker

Re: Two Subnets For Two Group Of People

ok, solve this issue

first I figured that my desktop if I use mike.alani it will not match the LDAP group but If I used Mike.alani then it will match (other computers have not face this issue)

upgrading the firewall to 7.1.5 solve the issue with my desktop!!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!