Setting up dual authentication or single authentication based on the user group in global protect

Gururaj — Sat, 08 Jul 2017 16:42:21 GMT

Hi All,

We have the requirement where we have to setup dual authentication for some set (Group) of user and single authentication for remaining global protect user. Is this duable? if yes, please provide info.

Note : We have the single gateway.

Regards,

Guru

Re: Setting up dual authentication or single authentication based on the user group in global protec

acc6d0b3610eec313831f7900fdbd235 — Sat, 08 Jul 2017 17:02:53 GMT

Hi @Gururaj
Are you using PAN-OS 8.0.x?

I would setup two Authentication profiles and one Authentication Sequence profile.
For example:
Authentication profiles:

LDAP-PROFILE01
- Two Factor: Enabled
- Advanced: Specify the AD group you want to enforce two factor authenticantion
LDAP-PROFILE02
- Two Factor: Disabled
- Advanced: Specify "All" or the specific AD group which should not have two factor authentication enforced

Authentication Sequence:

LDAP-AUTH-SEQUENCE
- Add LDAP-PROFILE01
- Add LDAP-PROFILE02

Note: The authentication sequence will try to match the username against each one of the profiles above in a sequence, once it matches, and access is validated the access is granted.

GlobalProtectPortal

Specify the LDAP-AUTH-SEQUENCE Profile

GlobalProtect Gateway

Specify the LDAP-AUTH-SEQUENCE Profile

You can still speicify in the User/Group tab inside the portal and gateway configuration the AD groups you want to allow, but the auth factor will be enforced via the profiles created before.

I hope it makes sense.

topic Setting up dual authentication or single authentication based on the user group in global protect in General Topics

Setting up dual authentication or single authentication based on the user group in global protect

Re: Setting up dual authentication or single authentication based on the user group in global protec