This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Restrict VPN access to AD group

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict VPN access to AD group

g_sipp
Not applicable

‎02-06-2012 02:43 PM

Hi,

I want to give a VPN ipsec access to a group of users.

In GlobalProtect Portal | Client Configuration, I set the AD group in Source User.

My problem : all the users in the AD OU have access to the VPN despite they're not in the group.

I must have missed something ...

Someone already had this issue ?

Thanx.

0 Likes Likes
18 REPLIES 18

rmonvon
L6 Presenter

‎02-07-2012 08:34 PM

Hi...When you define the Authentication Profile, you would select the desired AD group(s) under the 'Allow List'.  You then set Global Protect to use this auth profile and only those users in these group will be permitted.

Thanks.

0 Likes Likes

paloalto.nis
L2 Linker
In response to rmonvon

‎02-08-2012 03:03 AM

Hi,

In Authentication Profile, under the 'Allow List', I can't see my AD groups.

I’ve tried to manually enter the group name but it doesn't work.

In User Identification | Group Mapping, I've been able to include all the AD groups I want to use. And I can see these groups in GlobalProtect Portal | Client Configuration | Source User.

Thanx

0 Likes Likes

g_sipp
Not applicable
In response to rmonvon

‎02-08-2012 03:06 AM

Hi,

In Authentication Profile, under the 'Allow List', I can't see my AD groups.

I’ve tried to manually enter the groups but it doesn’t work.

In User Identification | Group Mapping, I've been able to include all the AD groups I want to use. And I can see these groups in GlobalProtect Portal | Client Configuration |Source User.

Thanx

0 Likes Likes

rmonvon
L6 Presenter
In response to g_sipp

‎02-08-2012 07:07 AM

Within the Authentication Profile, please make sure you set the authentication=LDAP and set the Server Profile=LDAP server.

Also, what version of PAN-OS are you running?

0 Likes Likes

g_sipp
Not applicable
In response to rmonvon

‎02-08-2012 07:42 AM

Within the Authentication Profile, authentication was already set to LDAP and the Server Profile was already set.

I'm running PAN-OS 4.1.2.

0 Likes Likes

rmonvon
L6 Presenter
In response to g_sipp

‎02-08-2012 06:01 PM

If your network has many AD groups, we may not be able to display all the groups.  Maybe you can type in a few letters and allow the system to search for groups matchin those letter.  If that does not work and you have tried manually typing in the group names, then I suggest you open a case with support.  Thanks.

g_sipp
Not applicable
In response to rmonvon

‎02-09-2012 03:42 AM

Thank you very much for your help.

I'll open a case.

0 Likes Likes

kamish
L3 Networker
In response to g_sipp

‎02-09-2012 07:15 AM

I beleive that this is a bug.  We are also running 4.1.2 and I cannot set any OUs in our authentication profile either!  Please update when you get your case resolved.

Thanks!!

0 Likes Likes

rmonvon
L6 Presenter
In response to kamish

‎02-13-2012 02:00 PM

Yes, it has been identified as a bug and is targeted to be fixed in the  next release, 4.1.3. The workaround is to set the Allow List to 'all'  under the Authentication Profile and define a Security Rule to allow access only to the specific AD group.  Thanks.

g_sipp
Not applicable
In response to rmonvon

‎02-14-2012 12:50 AM

OK, thanks again for your help.

0 Likes Likes

cnamurdc
L1 Bithead

‎01-22-2013 01:22 AM

Hi there,

I'm running release 5.0.0, and I'm facing a similar problem.

For a vpn access, I created an authentication profile for a ldap group of users. In the allow list, the existing ldap groups are not displayed, so I cannot select the desired group.

It seems to be related to the bug mentionned in this thread, doesn't it?

Was this bug not fixed?

Thanks for your help.

0 Likes Likes

SCoupland
L3 Networker
In response to cnamurdc

‎02-07-2013 03:18 PM

This bug was fixed in 4.1.4 I believe. Have you added the LDAP groups you wish to use under Device-> User Identification-> Group Mappings? Do they show up in the CLI when you perform a "show user group name ?" ?

0 Likes Likes

cnamurdc
L1 Bithead
In response to SCoupland

‎02-11-2013 03:23 AM

In fact, after having added the LDAP groups in Group Mappings, they appeard in the CLI and I can select them in  the allow list.

However, it is not working properly while testing. A user belonging to one LDAP group cannot be authenticated with the corresponding Authentication Profile.

After a talk with a Palo Alto representative, it seems to be a bug and a case has been opened.

Thanks.

0 Likes Likes

LCMember2262
L1 Bithead
In response to cnamurdc

‎04-04-2013 02:51 AM

Has this bug been squashed? I'm setting my groups under the authentication profile and I still can't authenticate myself unless I use All.

0 Likes Likes
  • 11784 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks