We have a requirement as users belonging to 2 different domains (for eg: local.ae & local.co.ae) need to connect via Palo Alto global protect VPN. Is it possible to integrate Palo Alto with 2 different LDAP profile, so that both local.ae & local.co.ae domain users can connect remotely over Global Protect VPN.
Thanks for the update. Just want to check, if there is any other alternate solution apart from the above, as there is trust between both domain. Is it possible to integrate Palo Alto with on LDAP server & users in other domain also can use the domain trust to get connected via Global Protect VPN.
You need to create two separate LDAP Server Profiles (one for each server).
Then you need to create two separate Authentication Profiles (one for each LDAP server).
Then you need to create an Authentication Sequence that lists which order you want to query the LDAP servers.
Then you configure your GlobalProtect setup to use the Authentication Sequence to authenticate clients.
That way, when a client connects to GlobalProtect and puts in their username and password, GlobalProtect will check the LDAP servers in the Authentication Sequence. If there's a working authentication from the first LDAP server, then the client is connected; if not, the second LDAP server is checked. If there's a working authentication from that one, then the client is connected; if not, the connection fails.
You have to treat the LDAP servers as separate entities.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!