topic Re: VPN SSL - Verification of a login belonging to a AD group in General Topics

VPN SSL - Verification of a login belonging to a AD group

novidys — Wed, 10 Nov 2010 10:29:42 GMT

Hi support,

I have a question regarding the authentification of users through the VPN SSL.

Here is the situation:

Login of the SSL VPN user: AdminLogin
Password of the SSL VPN user: AdminPass
SSL VPN name: AdminSSLVPN
Authentication Profile associated with AdminSSLVPN: AdminAuthProfil

AdminAuthProfil authentication method: Radius server
AdminAuthProfil allow list: DOMAIN\admin (it's a AD group obtained by the user ID agent). AdminLogin is a member of the DOMAIN\admin group.

When the login is submitted to the PAN, i would like to know how the verification of the belonging of AdminLogin to DOMAIN\admin group is done. When a user is usually presented to the AD, the form of the login is the following "DOMAIN\login". As the form of the login is not the same in the AD and when a user log on to the SSL VPN how does it works ?

When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin. Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).

Thank you in advance.

Best regards

Re: VPN SSL - Verification of a login belonging to a AD group

pantac — Wed, 10 Nov 2010 14:40:57 GMT

if your RADIUS profile has the domain field correctly configured with the domain name then the PA firewall will prepend the DOMAIN\ portion of the login when doing the RADIUS authentication process.

Re: VPN SSL - Verification of a login belonging to a AD group

novidys — Wed, 10 Nov 2010 15:21:41 GMT

Hi,

My question was not concerning the stage of the authentification with the RADIUS but the stage after (authorisation).

Let's take the precedent exemple to explain our interrogation.

From our understanding of the PAN when a user wants to connect to the SSL VPN there are several steps:

The user connect to the url of the VPN SSL
Submit his login and password
The radius server is first solicited for the authentication stage. The login and password are submitted from the PAN to the Radius server. The Radius then check if the password match for the login. Then is everything is OK the client is authenticated.
After that. There is the stage of the authorisation. The allow list which is associated to the VPN SSL (the user is connected on) is checked. The PAN verify if the login belongs to a group wich is specified in the allow list. This permit after to mount the SSL VPN for that user.

Regarding that. The authentication profil (AdminAuthProfil) for the SSL VPN is configured like this this:

Authentication method: RADIUS
Allow list: AD Groups taken from the User-ID agent. In the allow list we have DOMAIN\admin.

The question is (still regarding our exemple) :

When user connects to the SSL VPN the login that was submitted was AdminLogin and not DOMAIN\AdminLogin.

So when it's the turn of the authorisation stage. When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin regarding the "allow list". Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).

Thank you in advance.

Best regards,

Re: VPN SSL - Verification of a login belonging to a AD group

pantac — Wed, 10 Nov 2010 15:27:16 GMT

you need to be running Pan Agent to retrieve the user/group mappings from your AD environment.

Re: VPN SSL - Verification of a login belonging to a AD group

mjacobsen@paloaltonetworks.com — Wed, 10 Nov 2010 15:32:48 GMT

The login will not fail. The system will use the domain string stored with the auth profile to infer the users domain (assuming they have not entered a fully qualified username). This will then map to the groups retrieved from the User Identification Agent and be matched in either the allow list in an auth profile or in security rules based on group.

Mike

Message was edited by: mike EDIT: fixed a missing "not" in the comment about fully qualified username.

Re: VPN SSL - Verification of a login belonging to a AD group

novidys — Wed, 10 Nov 2010 15:59:13 GMT

Ok mike.

So if i reformulate your answer.

If in my allow list, I have the following group: NOVIDYS\tech. And in the AD, Bob belongs to NOVIDYS.

When Bob want to connect to the SSL VPN he only submit Bob. Then the PAN append NOVIDYS to Bob ("NOVIDYS\Bob") and check if he belongs to NOVIDYS\tech (wich is in the allow list) regarding the information the Pan-agent gave to the PAN.

Best regards,

Re: VPN SSL - Verification of a login belonging to a AD group

mjacobsen@paloaltonetworks.com — Wed, 10 Nov 2010 16:14:54 GMT

That's correct.

Mike

Re: VPN SSL - Verification of a login belonging to a AD group

radoslaw.wal — Wed, 29 Feb 2012 19:57:42 GMT

But how to verify to which of the groups (from the firewall point of view) belongs the user being logged in?

Is there a CLI command like "show to which group belongs the user" ?