Integrating 2 different LDAP servers in Palo Alto for Global Protect VPN authentication.

cancel
Showing results for 
Search instead for 
Did you mean: 

Integrating 2 different LDAP servers in Palo Alto for Global Protect VPN authentication.

L1 Bithead

Hi,

 

We have a requirement as users belonging to 2 different domains (for eg: local.ae & local.co.ae) need to connect via Palo Alto global protect VPN. Is it possible to integrate Palo Alto with 2 different LDAP profile, so that both local.ae & local.co.ae domain users can connect remotely over Global Protect VPN.

3 REPLIES 3

L4 Transporter

Hi @preetpk ,

you can use both profiles in an Authentication Sequence profile, then use this Sequence profile for  GP authentication.

 

L1 Bithead

Hi Abdul,

 

Thanks for the update. Just want to check, if there is any other alternate solution apart from the above, as there is trust between both domain. Is it possible to integrate Palo Alto with on LDAP server & users in other domain also can use the domain trust to get connected via Global Protect VPN.

You need to create two separate LDAP Server Profiles (one for each server).

 

Then you need to create two separate Authentication Profiles (one for each LDAP server).

 

Then you need to create an Authentication Sequence that lists which order you want to query the LDAP servers.

 

Then you configure your GlobalProtect setup to use the Authentication Sequence to authenticate clients.

 

That way, when a client connects to GlobalProtect and puts in their username and password, GlobalProtect will check the LDAP servers in the Authentication Sequence.  If there's a working authentication from the first LDAP server, then the client is connected; if not, the second LDAP server is checked.  If there's a working authentication from that one, then the client is connected; if not, the connection fails.

 

You have to treat the LDAP servers as separate entities.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!