topic Re: Globalprotect-Need use Local database users and PingID for auth(MFA) in GlobalProtect Discussions

Globalprotect-Need use Local database users and PingID for auth(MFA)

Jose_Espinoza — Tue, 13 Jul 2021 17:24:55 GMT

hello team

We have this small database of users for Global Protect for our staff , however, we will like to add the MFA with PingID, following the configuration steps from vendor alyways mention LDAP as an authentication server, then our question: could we use the local database from the PA and not to jump to an AD server?

did someone had have experienced with this type of deploy that can provide feedback relate?

we know that with DUO or OKTA cannot be done, their KB's state that not.

cordially

jose

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Maynard-Fayetteville — Tue, 13 Jul 2021 17:32:29 GMT

I, too, am interested in setting up MFA that doesn't touch our inside network. I don't understand why it is such a big deal? 1Password, Google, Microsoft....can't we use ANY of those? I have no desire, or ever will, want to tie my firewall to my internal domain. Ever. We need options.

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Mick_Ball — Wed, 14 Jul 2021 05:56:37 GMT

The pingid docs state...

PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.

I don't see why you cannot add a local users auth profile to the MFA. Or indeed any external auth server...

perhaps they assume as you are logging into a windoze device you are already a domain member so why not use LDAP. If you are not, then use something else as the first factor.

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Jose_Espinoza — Wed, 14 Jul 2021 22:29:44 GMT

the reason to ask is because there is not a documented answer to cover local databse user usage for PingID, like DUO did it, we are assuming that we can but , we will need to create a lab a provision a VM (do the whole process to validate if is feasible or not the local database of users from the PA) to test if PingID will work with the local DB or not, anyway, if someone tried and did not work , so, can tell us first hand will be great. Anyway if the scenario is not positive we will need to find another solution without add a AD piece for such small population of users.

cordially

jose

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Mick_Ball — Thu, 15 Jul 2021 09:22:33 GMT

I have not tried it but I can't see why it would fail, there are many MFA solutions available, probably hundreds if you include self written solutions so not all scenarios will be scripted. Good Luck with your testing...

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Jose_Espinoza — Thu, 15 Jul 2021 17:42:51 GMT

thanks, we will try today the set up for PingID, the issue for MFA on PA there is an specific number of vendors that can be integrated, not all of the MFA vendors are supported by PA like google authenticator, etc, I will post here the results of PingID test anyway. cheers.

Re: Globalprotect-Need use Local database users and PingID for auth(MFA)

Maynard-Fayetteville — Tue, 19 Oct 2021 19:51:02 GMT

*ping* did you have any luck?