VPN CLIENT GLOBAL PROTECT, MANAGED WITH LDAP GROUPS

@FWTECNOFORM,

Since you're saying that you just encountered the environment I would hold off on any access changes until you get a solid understanding of why it was configured in the way it was. Often in a new environment I see a lot of engineers make "big" changes as far as end-users are concerned, and that can be a massive turnoff from your users.

Find out what the users are connecting to and why. It could be that you simply need to utilizes Agent Configs on your gateway to seperate out the users in groups. One group might just get permission to remote into their computers, or potentially simply access email remotely; another group might rightfully need access to additional resources while working remotely. 

"then, configure device\user identification\group mapping settings.

here you can add the groups that you want to use."

Thank you very much.

How can I "then, network\portals and in the agent\configs you can add the 2 groups, one to each config."

should I select the portal

then click agent

then click the config

then under user user groups add the two ldap groups?

Hmm, I'm doing something wrong.

I get this message: "user is not authorized to connect to Global Protect Portal."

in monitor/system  it will show the username that is denied.

then in cli,   show user group list

then in cli , show user group name "one of the groups from above"  to make sure that user is deffo in that group.

it may be domain info mising so add the following to the portal/agent/config/user/user group to test.

firstly add user on its own   fred smith  

then if that fails, try domain\fred smith

A: ok firstly, configure device\server profile\ldap with the required permissions

B: that seems fine

A:then, configure device\user identification\group mapping settings.

b:I added to the group include list the group domain\allowed_full

A: here you can add the groups that you want to use.

A: then, network\portals and in the agent\configs you can add the 2 groups, one to each config.

B: network\portals and in the agent\configs user/user group i added the group domain\allowed_full

A: this will allow users in both groups to use the VPN but you can then add security policies for each group to either restrict or allow access to the network.

A:in monitor/system it will show the username that is denied.
then in cli, show user group list
then in cli , show user group name "one of the groups from above" to make sure that user is deffo in that group.
it may be domain info mising so add the following to the portal/agent/config/user/user group to test.
firstly add user on its own fred smith
then if that fails, try domain\fred smith

B: The user is in the group, the check in the cli confirmed it. but I'm still getting "You are not authorized to connect to GlobalProtect Portal.", I can see the error in the monitor/system and it says: GlobalProtect portal client configuration failed. Login from: my_ip, Source region: IT, User name: test.

If I roll back to my previous configuration, user Test can log just fine.

going back to the beginning...

could you confirm if you are still using certificate authentication.

yes I am.