https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590429#M117617 <P>We have only one public IP address and we didn't want to overcomplicate it too much with loopback interfaces.</P> Wed, 26 Jun 2024 07:04:04 GMT typovy 2024-06-26T07:04:04Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590343#M117602 <P>Hi <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Im looking for solution. I need to configure global protect to:</P> <UL> <LI>Login LDAP users. For ldap users it has to check if client has machine certificate on it</LI> <LI>Login external contractors. They have accounts created on palo device and there is no need to check for certificate</LI> </UL> <P>And im stuck to be honest. Im coming from cisco networking where i can create multiple profiles with separate configurations.</P> <P>Is it possible to create it on palo with only one GPPortal and one GPGateway?</P> <P>I configured authentication tab like below and it successfully login ldap users and check for certificate but it dont work for local users. I understand that is because those 2 client authentication methods dont work as i though and i need authentication sequence.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="typovy_0-1719334094268.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60494i1D9F19D3C4377608/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="typovy_0-1719334094268.png" alt="typovy_0-1719334094268.png" /></span></P> <P>So i made a sequence but now if i set "Allow authentication with user credentials or client certificate" to no (because i want to check ldap user cert) local users cant log in because they dont have cert. I feel little bamboozled <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="typovy_1-1719334313928.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60495iEFB65DE5D8ACC86F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="typovy_1-1719334313928.png" alt="typovy_1-1719334313928.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 25 Jun 2024 16:52:05 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590343#M117602 typovy 2024-06-25T16:52:05Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590357#M117605 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/296261">@typovy</a>,</P> <P>Any reason why you're trying to limit yourself to one portal and one gateway? Personally I would recommend having contractors completely separate from your normal users. I isolate them to their own zone completely with a dedicated portal and gateway to utilize going forward. It makes it so I don't have to worry about a misconfiguration granting access to contractors when it shouldn't, and then you don't need to worry about competing authentication settings at all.</P> Tue, 25 Jun 2024 20:18:19 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590357#M117605 BPry 2024-06-25T20:18:19Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590429#M117617 <P>We have only one public IP address and we didn't want to overcomplicate it too much with loopback interfaces.</P> Wed, 26 Jun 2024 07:04:04 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-multiple-authentication-profiles-external/m-p/590429#M117617 typovy 2024-06-26T07:04:04Z