topic Re: Global Protect Authentication in General Topics

Global Protect Authentication

PerTenggren — Tue, 19 Sep 2017 07:02:36 GMT

Hi!

I've a scenario where the authentication methods needs to be different for some users connecting via Global Protect. Basically two options needs to be supported:

Certificate + username/password (LDAP) – Internal users
Username/password (LDAP) + 2FA (RADIUS) – External users (consultants etc.)

How can this be setup with PAN?

Re: Global Protect Authentication

Mick_Ball — Tue, 19 Sep 2017 07:54:05 GMT

just looking at this makes me think you will need seperate portals for internal users and external users.

purely because device/user certificate authentication is a global auth setting for the authentication tab in portal settings.

if you include radius as an option then they will also require the same cert.

i assume you are talking about device certs and not user specific certs issued vi PKI.

not sure about MFA on the portal but you can do secondary auth via policies.

also.. not sure why you would mix 2 factor radius with username password....

Re: Global Protect Authentication

PerTenggren — Tue, 19 Sep 2017 08:44:48 GMT

Ok, is it possible to have multiple portals with the same IP but different FQDNs?

"also.. not sure why you would mix 2 factor radius with username password...."

- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius.

Re: Global Protect Authentication

Mick_Ball — Tue, 19 Sep 2017 09:12:47 GMT

no because the portal is based on the ip address of the interface.

plus.. you can only have 1 certificate in your ssl/tls profile for that portal. (yes this can be a wildcard or SAN)

you may be able to do something clever with a loopback address but well beyond my knowledge as this would require connecting on a different port via GP and I'm sure this is not possible unless anyone else can advise further.

for the same reason as described earlier.... we have different portals for laptop users, ipad users, 3rd party support and "loan laptops" as they all have a different mix of device certs, user certs via AD PKI, Radius and lDAP.

Re: Global Protect Authentication

Mick_Ball — Tue, 19 Sep 2017 09:23:53 GMT

sorry..

"also.. not sure why you would mix 2 factor radius with username password...."

- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius.

yes I understand why you would use Radius but you stated an authentication process that used "username/password" and Radius.

perhaps i missunderstood the statement..

Username/password (LDAP) + 2FA (RADIUS) – External users (consultants etc.)

i'm thinking Radius will include something you are, have and know, I have allways accepted this as acceptable for VPN auth.

but then, i don't work for you...

Re: Global Protect Authentication

PerTenggren — Tue, 19 Sep 2017 09:39:14 GMT

RADIUS will provide a token from SecureID, othwise it's not a second factor compare to username/password.

Re: Global Protect Authentication

Mick_Ball — Tue, 19 Sep 2017 09:51:51 GMT

yes OK, been here before, difference between MF (multi Factor) = username and password, followed by radius.

or 2F (two factor) = username with a PIN and a passcode.

how secure you make it is up to you.

for us we have similar but not via the portal.

our 3rd paty support/contractors use 2F for VPN connection, the firewall policy lets them only go to specific addresses on specific ports, and then they use username and password to connect to the allowed device, usually RDP, FTP etc...

It's up to you...

Re: Global Protect Authentication

PerTenggren — Wed, 27 Sep 2017 08:01:51 GMT

Anyone else?