VPN CLIENT GLOBAL PROTECT, MANAGED WITH LDAP GROUPS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN CLIENT GLOBAL PROTECT, MANAGED WITH LDAP GROUPS

L1 Bithead

Hello, I have a problem.

I just inherited a palo alto firewall.

I noticed that given a specific certificate and given the global protect client, every user of the ldap server can connect to the vpn.

I would like that only users in specific ldap groups could enter.

Let's say the groups come from active directory.

"domain"\user_group_allowed

"domain"\user_group_allowed_limited

how can I do that?

right now everyone on "domain" can open a vpn tunnel.

Could it be that what I'm looking for is under:

Device > Authentication Profile > Advanced > Allow list 

and that I should Add the ldap groups there instead of "All" ?

Kindest Regards

3 ACCEPTED SOLUTIONS

Accepted Solutions

should I select the portal

then click agent

then click the config

then under user user groups add the two ldap groups?

 

 

yes you can do that, or you can add config-1  and add group1

then add config-2 and add group2

 

i do a seperate config most of the time as i also use this to direct different groups to different gateways.

you can also use this to give users different portal configs.

 

so group-1 (std users) could have the portal nailed down

group-2 (admin users) could have the portal unrestricted and an extra couple of gateways....

 

if yours is just for network access restrictions then just use the same portal config.

 

perhaps if you explain what the difference is between groups then i could advise further but please note  @BPry 's comments.

 

 

View solution in original post

And.......

 

make sure you have the domain name in the certificate profile "user domain" field.

View solution in original post

That was it for me also.  @MickBall thank you for walking me through the tshooting steps.

View solution in original post

15 REPLIES 15

L7 Applicator

firstly, configure device\server profile\ldap   with the required permissions

 

then, configure device\user identification\group mapping settings.

here you can add the groups that you want to use.

 

then, network\portals and in the agent\configs you can add the 2 groups, one to each config.

 

this will allow users in both groups to use the VPN but you can then add security policies for each group to either restrict or allow access to the network.

 

 

 

@FWTECNOFORM,

Since you're saying that you just encountered the environment I would hold off on any access changes until you get a solid understanding of why it was configured in the way it was. Often in a new environment I see a lot of engineers make "big" changes as far as end-users are concerned, and that can be a massive turnoff from your users.

Find out what the users are connecting to and why. It could be that you simply need to utilizes Agent Configs on your gateway to seperate out the users in groups. One group might just get permission to remote into their computers, or potentially simply access email remotely; another group might rightfully need access to additional resources while working remotely. 

"then, configure device\user identification\group mapping settings.

here you can add the groups that you want to use."

Thank you very much.

How can I "then, network\portals and in the agent\configs you can add the 2 groups, one to each config."

should I select the portal

then click agent

then click the config

then under user user groups add the two ldap groups?

 

should I select the portal

then click agent

then click the config

then under user user groups add the two ldap groups?

 

 

yes you can do that, or you can add config-1  and add group1

then add config-2 and add group2

 

i do a seperate config most of the time as i also use this to direct different groups to different gateways.

you can also use this to give users different portal configs.

 

so group-1 (std users) could have the portal nailed down

group-2 (admin users) could have the portal unrestricted and an extra couple of gateways....

 

if yours is just for network access restrictions then just use the same portal config.

 

perhaps if you explain what the difference is between groups then i could advise further but please note  @BPry 's comments.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!