03-24-2020 10:30 AM - edited 03-24-2020 12:10 PM
What's the magic incantation needed to use LDAP groups in the GlobalProtect Portal user/group list? Instead of listing all umpteen dozen individual users.
I have a working GP Portal and multiple Gateway setup, using LDAP for authentication.
I have a working Group Mapping setup using groups from LDAP. I can use "show user group list" and see all my LDAP groups. I can use "show user group name mydomain\mygroup" (the shortname for it) to view all the members of the group. And I can run "show user user-ids match-user myuser" to see which group(s) a user is in.
In the Portal config, I can add individual users to the user/group list for each individual Gateway. But, with the number of VPN users increasing the past couple of weeks, it's getting cumbersome to edit the config, commit to Panorama, and push tot he firewalls. Would be much nicer to just put an LDAP group in here, and update the member list in LDAP instead. I just can't make this work!
If I remove a test user from the Portal config, and replace it with an LDAP group (which that test user is a member of), then I get "Not authorized to access GlobalProtect Portal". Tried the shortname for the group, mydomain\shortname, and the full cn=mygroup,ou=groups... syntax. Same result for each.
What am I missing?
Edit: This is on Panorama 8.1.13, PanOS 8.1.9-h4 on the Portal, 8.1.13 on the Gateways.
Edit2: Further troubleshooting, running "test authentication" from the CLI on the portal and the gateway succeeds. But, we already knew the LDAP config worked; it's trying to use the LDAP group on the Portal Config that's failing. And there doesn't appear to be a way to test that at the CLI, or to get better logs.
