Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

18 GlobalProtect Administrator’s Guide

Set Up GlobalProtect User Authentication Set Up the GlobalProtect Infrastructure

Set Up External Authentication

The following workflow describes how to set up the portal and/or gateway to authenticate users against an

existing authentication service. GlobalProtect supports external authentication using LDAP, Kerberos, or

RADIUS.

For more information, see Supported GlobalProtect Authentication Methods or watch a video.

GlobalProtect also supports local authentication. To use this authentication method create a local

user database that contains the users and groups you want allow into the VPN (

Device > Local

User Database

) and then reference it in the authentication profile.

Set Up External User Authentication

Step 1 Create a server profile.

The server profile instructs the firewall

how to connect to an external

authentication service and access the

authentication credentials for your users.

If you are using LDAP to connect

to Active Directory (AD), you must

create a separate LDAP server

profile for every AD domain.

1. Select

Device > Server Profiles and select type of profile (LDAP,

Kerberos, or RADIUS).

2. Click

Add and enter a Name for the profile, such as

GP-User-Auth.

3. (LDAP only) Select the

Type of LDAP server you are

connecting to.

4. Click

Add in the Servers section and then enter information

required to connect to the authentication service, including the

server

Name, IP Address (or FQDN), and Port.

5. (RADIUS and LDAP only) Specify settings to enable the

firewall to authenticate to the authentication service as follows:

• RADIUS—Enter the shared

Secret when adding the server

entry.

• LDAP—Enter the

Bind DN and Bind Password.

6. (LDAP and Kerberos only) Specify where to search for users in

the directory service:

• LDAP—The

Base DN specifies where in the LDAP tree to

begin searching for users and groups. This field should

populate automatically when you enter the server address and

port. If it doesn’t, check the service route to the LDAP

server.

• Kerberos—Enter the Kerberos

Realm name.

7. Specify the

Domain name (without dots, for example acme not

acme.com). This value will be appended to the username in the

IP address to username mappings for User-ID.

8. Click

OK to save the server profile.