topic Re: Multi Factor Authentcation (Privacy Idea) just for some Users in GlobalProtect Discussions

Multi Factor Authentcation (Privacy Idea) just for some Users

unibg_it — Thu, 15 Feb 2024 08:20:44 GMT

Good Morning,

we are using Palo Alto 3020 (installed sw 9.1).

We recently tried to implement multi factor authentication with privacy idea. We followed this guide and everything works.

https://www.youtube.com/watch?v=2mIuqmWP-j0&t=1200s

The main problem is that we would like to be able to decide which users should use mfa and which should simply use username and password. we haven't found any way to achieve the goal, the only thing that can be done is to differentiate by operating system. If I moved to the new versions (11) there would be a possibility

Thanks for your help

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

Mick_Ball — Thu, 15 Feb 2024 12:07:49 GMT

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

Mick_Ball — Thu, 15 Feb 2024 12:10:34 GMT

Have you tried using an "authentication sequence".

This way you could put MFA profile at the top of the list and username/password below it. (or the other way around)

If the users are not configured for MFA then the 3020 will try username/password.

If it's the other way round then if your users are not configured for username/password then the 3020 will try MFA.

That's my understanding but never had to use it...

From Palo....

In some environments, user accounts reside in multiple directories (such as LDAP and RADIUS). An authentication sequence is a set of authentication profiles that the firewall tries to use for authenticating users when they log in. The firewall tries the profiles sequentially from the top of the list to the bottom—applying the authentication, Kerberos single sign-on, allow list, and account lockout values for each—until one profile successfully authenticates the user. The firewall only denies access if all profiles in the sequence fail to authenticate. For details on authentication profiles

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

unibg_it — Thu, 15 Feb 2024 12:28:50 GMT

Thank you for your answer. I tried to use it but not solved my problem. We don't have multiple direcorories, users are in AD/ldap and our problem is to understand if there is a way to differentiate users based on ldap group or in another way. For example, if I belong to group x I proceed with username and password, if instead I belong to y I will authenticate with mfa.

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

Mick_Ball — Thu, 15 Feb 2024 13:09:22 GMT

Group membership is not available at this point as user has not actually authenticated.

do your users know which method they should be using?

I would have thought if you logged in with MFA and ldap was top of the list, the ldap auth will fail, it will then automatically try MFA which I assume would pass...

The only other option I can think of is to have a different portal for both sets of users... both portals point to the same gateways but use cookies for authentication override for that gateway.

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

unibg_it — Thu, 15 Feb 2024 13:27:41 GMT

do your users know which method they should be using?

yes,

Different portal could be a good Idea. Do you have any reference guide to implement?

thank you

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

unibg_it — Thu, 15 Feb 2024 15:49:38 GMT

Could I assign a multiple address (/32) on external interface in order having multiple gateways?

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

Mick_Ball — Fri, 16 Feb 2024 09:30:01 GMT

Do you mean multiple portals, multiple gateways may require additional GP license…

yes you can…. Select the network interface for you current portal and select add sub interface at bottom of page..

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

BPry — Fri, 16 Feb 2024 14:05:25 GMT

While multiple gateways used to be a licensed feature, that's no longer the case and is included with the product. You really could do this with either multiple portals or you could just leverage multiple gateways and client configurations to direct the user to the proper gateway with the additional MFA authentication or not.

The advantage of using multiple gateways instead of multiple portals is that you can give out the same portal address regardless of the user and never have to go through a portal migration. The downside is that authentication is ever so slightly more annoying when you're enforcing MFA on the gateway, but not massively so. Multiple portals is the "cleanest" way of doing things in my mind, you just have to be mindful that you won't have a single portal address to communicate to all of your users.

Re: Multi Factor Authentcation (Privacy Idea) just for some Users

unibg_it — Fri, 16 Feb 2024 21:47:37 GMT

Thank you everybody for your answer. I will test multiple portal. I think this is right solution for my environment