https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/550288#M4227 <P>Hi,</P> <P>The most secure way of checking this I using certificates, checking if the connecting client is using a certificate distributed by your companies PKI.</P> <P><A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication</A></P> <P>You can even deploy separate certificates per device type using extended key usage and check on the specific OID. (Microsot PKI)</P> <P>On top of the client cert user or machine cert you add SAML/LDAP/RADIUS authentication.</P> <P>&nbsp;</P> <P>Or you can do the check for allowed on you authentication backend RADIUS (NPS/ISE). &nbsp;But this will not disallow users from connecting to portal and trying to authenticate on it. &nbsp;Can only be achieved with certificates. &nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Jul 2023 22:43:04 GMT GOMEZZZ 2023-07-20T22:43:04Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/548908#M4200 <DIV style="width: 100%;"> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>Hello,</SPAN></SPAN></P> <DIV id="viewer-9ond84035" class="-Zro6 -ZADH IjV6v _57WYp"><SPAN class="d0767">&nbsp;</SPAN></DIV> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>I'm currently trying to restrict Global Protect users from logging into the Portal or Gateway with unauthorized devices.</SPAN></SPAN></P> <DIV id="viewer-g2ndq4042" class="-Zro6 -ZADH IjV6v _57WYp"><SPAN class="d0767">&nbsp;</SPAN></DIV> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>In our setup, all devices that are allowed to connect (mobile, laptops, desktops, etc.) are listed in an Active Directory OU (computer account).</SPAN></SPAN></P> <DIV id="viewer-rpvol4049" class="-Zro6 -ZADH IjV6v _57WYp"><SPAN class="d0767">&nbsp;</SPAN></DIV> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>I have been unable to find any information on how to configure this restriction in the official documentation or through online resources.</SPAN></SPAN></P> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>Is it possible to implement this limitation?</SPAN></SPAN></P> <DIV id="viewer-acskw4057" class="-Zro6 -ZADH IjV6v _57WYp"><SPAN class="d0767">&nbsp;</SPAN></DIV> <P class="-Zro6 -ZADH IjV6v AnCKd _57WYp"><SPAN class="d0767"><SPAN>Thanks,</SPAN></SPAN></P> </DIV> Tue, 11 Jul 2023 11:31:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/548908#M4200 BusanaB 2023-07-11T11:31:32Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/550114#M4218 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/214716">@BusanaB</a> ,</P> <P>&nbsp;</P> <P>One method you could use is to verify the domain retrieved under host info:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1689819020181.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51809iA8A708BEAFDD71F1/image-size/medium?v=v2&amp;px=400" role="button" title="TomYoung_0-1689819020181.png" alt="TomYoung_0-1689819020181.png" /></span></P> <P>&nbsp;</P> <P>If the domain matches the HIP object, then it is a device in the domain.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 20 Jul 2023 02:12:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/550114#M4218 TomYoung 2023-07-20T02:12:47Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/550288#M4227 <P>Hi,</P> <P>The most secure way of checking this I using certificates, checking if the connecting client is using a certificate distributed by your companies PKI.</P> <P><A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication</A></P> <P>You can even deploy separate certificates per device type using extended key usage and check on the specific OID. (Microsot PKI)</P> <P>On top of the client cert user or machine cert you add SAML/LDAP/RADIUS authentication.</P> <P>&nbsp;</P> <P>Or you can do the check for allowed on you authentication backend RADIUS (NPS/ISE). &nbsp;But this will not disallow users from connecting to portal and trying to authenticate on it. &nbsp;Can only be achieved with certificates. &nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Jul 2023 22:43:04 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-hip-check-and-ad-computer-account/m-p/550288#M4227 GOMEZZZ 2023-07-20T22:43:04Z