I have Duo SSO working with Palo Alto GlobalProtect but I am unable to utilize domain groups. If I apply a domain group in my GP gateway I am unable to connect and I receive an error stating ‘matching client config not found’.
That sounds like you need to configure under “Firewall - Network Tab - GlobalProtect - Portals - GlobalProtect Portal Configuration - Agent” a specific client config that is tied to your LDAP security group for your domain users who are to have access to the GlobalProtect VPN connection, and are also defined in the Duo Admin panel under the specific policy(ies) associated with GlobalProtect.
Hope this helps.
Thanks for giving such a concise, clear answer here, Kevin!
FCalderone, I also found a help article in the Palo Alto knowledge base that confirms the steps Kevin has shared here if you need more context or guidance: Connection to GlobalProtect is Failing with Error "Matching client config not found"
The solution did not work. Duo does not recognize the domain group or pass it on after authentication. I have this working fine on GlobalProtect using just LDAP as authentication and restricting the logon to a specific domain group and then I write rules to that specific domain group. But when I switch the authentication method to Duo on the Portal and Gateway I am unable to even login.