How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication using the Framed-IP-Address attribute.
67674
Created On 07/10/20 09:47 AM - Last Modified 08/05/20 20:37 PM
Objective
- Fixed IP Address allocation for GlobalProtect Users with Active Directory Authentication.
- Control over the IP address assignment is on the Active Directory Server and not on the GlobalProtect user machine.
- Make use of the "Retrieve Framed-IP-Address attribute from authentication server" checkbox available under Client Settings IP Pools tab.
Environment
- Palo Alto Networks Firewall with GlobalProtect configured.
- Active Directory (LDAP) Server being used for authenticating GlobalProtect users.
- Fixed IP Address assignment to GlobalProtect users with control from Active Directory Server.
Procedure
- Setup GlobalProtect with the required settings and Active Directory(LDAP) Authentication :-
- Enable the GlobalProtect Gateway to request for the Framed-IP-Attribute from the Active Directory Server.
- Check "Retrieve Framed-IP-Address attribute from authentication server" at Network -> GlobalProtect -> Gateways -> <Name_of_Gateway> -> Agent -> Client Settings -> Config -> IP Pool
- Configure the Framed-IP-Attribute on the AD Server for the User :-
- Open the properties of the User on Active Directory Server.
- Go to "Dial-in" tab.
- Check "Assign Static IP Addresses" and click on "Static IP Addresses" button.
- Check "Assign a static IPv4 address:" and enter the fixed IP address which needs to be assigned to that GlobalProtect user.
Additional Information
- The corresponding decimal value of the IP address configured can be seen under the "Attribute Editor" tab of the user properties in the Attribute "msRADIUSFramedIPAddress".
- IP Address 10.122.5.66 is 175768898 in Decimal number format.