topic Re: How to block access to internet based on User name and group in General Topics

How to block access to internet based on User name and group

ABAdmin — Wed, 04 Nov 2015 18:01:58 GMT

We have a request from our teachers for a way to block access to the internet based on students' username.Oh - and the teacher needs to be able to grant or deny this access from a simple interface...

Myself and my colleague are scratching our heads on this one.

What we are thinking is of trying to leverage Active Directory Groups in our PAN and have a simple GUI that would a teacher can edit and which would post a command through to the PAN to grant or deny access for the student\ class group.

I am wondering if using the PAN CLI (with the User-Agent) would be able to accomplish this... Or if custom ACLs would be better.

Has anyone created something similar for use in education? A way for teachers to have direct access via a 3rd party interface and set permissions for a student or group?

Any tips and information is GREATLY appreciated!

Re: How to block access to internet based on User name and group

RC-BHF — Wed, 04 Nov 2015 21:49:14 GMT

You can use LDAP look up from you PA to get group from AD.

Have look on the Admin guide

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LDAP-Server-Profile/ta-p/58689

Re: How to block access to internet based on User name and group

OtakarKlier — Wed, 04 Nov 2015 22:59:04 GMT

So to expand on what has already been suggested, with respect to AD groups. This is possible and I have done this in the past very successfully. The tricky part comes in where you need to have the teachers modify the groups. You could create an AD group and allow the teachers to be the owners, that way they can just do this on their own. However this is scary if this is a shared group (I wouldnt do this). Where I have done this in the past, the Support Desk (tier1) techs could do this based on tickets. That way there was a record and accountability. Regardless of what the teachers would like, I would be very worried about giving them access to modify an AD group. Perhaps the override feature could be used on false positives? But that password gets spead like wildfire. Or instead of a block page they could get a continue page and then the teacher could request alternative access? This way class is not halted and order is maintained.

Just some thoughts.

Re: How to block access to internet based on User name and group

ABAdmin — Fri, 13 Nov 2015 08:58:29 GMT

Thanks for the information! We are going to hold this in reserve. At least we know that it is feasably possible.

We are speaking to one of the regional municipalities about their in house solution. It seems they have made something like this that we may possibly "copy and paste".

Wouldn't that be great if it worked 😉

Have a good weekend.