we currently have global protect integrated with Azure MFA using SAML and it works flawless.
Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.
At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.
Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)
we have a PA-850 running version 10.1.3
According to the official documentation the source user in the client setting tab must be configured via User Identification.
In our case we only have the internal Active Directory and checking its settings I saw an option that called my attention, Alternate Username 1.
I wonder if I put "mail" in that field, it might be used in the filtering as a username. (see attachment)
Does anyone used that before for a similar purpose?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!