https://live.paloaltonetworks.com/t5/general-topics/global-protect-2-factor-auth-user-id-mapping/m-p/37266#M27336 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I'm migrating from ASA to Palo Alto including user VPN access (AnyConnect).&nbsp; The setup will be 2 factor authentication with LDAP/Kerberos (not sure which yet) for the portal and OTP via RADIUS for the gateway.</P><P></P><P>The current setup allows access lists to be applied via the vpn policy to each authenticated user group limiting their access to internal resources.</P><P></P><P>My thought is to be able to build security policies providing these same limits that are based on the appropriate AD group.&nbsp; This would allow me to have a single GP gateway &amp; pool but still provide the same granularity they have now.</P><P></P><P>My question is, does the user's AD username passthrough from the portal and mapped to their users GP IP even with RADIUS being used on the gateway?&nbsp; I'm trying to avoid having to setup separate gateways with separate IP pools and having to base my security policies on the GP IP pools.</P><P></P><P>I'm looking for best practices way of configuring this.</P><P></P><P>Thanks for any suggestions.</P></BODY></HTML> Thu, 17 Apr 2014 03:23:39 GMT CafNetMatt 2014-04-17T03:23:39Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-2-factor-auth-user-id-mapping/m-p/37266#M27336 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I'm migrating from ASA to Palo Alto including user VPN access (AnyConnect).&nbsp; The setup will be 2 factor authentication with LDAP/Kerberos (not sure which yet) for the portal and OTP via RADIUS for the gateway.</P><P></P><P>The current setup allows access lists to be applied via the vpn policy to each authenticated user group limiting their access to internal resources.</P><P></P><P>My thought is to be able to build security policies providing these same limits that are based on the appropriate AD group.&nbsp; This would allow me to have a single GP gateway &amp; pool but still provide the same granularity they have now.</P><P></P><P>My question is, does the user's AD username passthrough from the portal and mapped to their users GP IP even with RADIUS being used on the gateway?&nbsp; I'm trying to avoid having to setup separate gateways with separate IP pools and having to base my security policies on the GP IP pools.</P><P></P><P>I'm looking for best practices way of configuring this.</P><P></P><P>Thanks for any suggestions.</P></BODY></HTML> Thu, 17 Apr 2014 03:23:39 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-2-factor-auth-user-id-mapping/m-p/37266#M27336 CafNetMatt 2014-04-17T03:23:39Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-2-factor-auth-user-id-mapping/m-p/37267#M27337 <HTML><HEAD></HEAD><BODY><P>Figured I'd reply with the answer just in case anyone else has the same question.</P><P></P><P>There's a post out there that discusses making sure to fill in the NetBIOS domain name in the 'domain' box in the authentication profile.&nbsp; This applies not just to LDAP but to RADIUS.&nbsp; When you fill this in you will get the DOMAIN\userid in the traffic log and security policies based on a domain security group work.</P></BODY></HTML> Fri, 18 Apr 2014 22:53:36 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-2-factor-auth-user-id-mapping/m-p/37267#M27337 CafNetMatt 2014-04-18T22:53:36Z