topic Re: User-ID for Non-AD Operating Systems? in General Topics

User-ID for Non-AD Operating Systems?

jsalmans — Mon, 02 Oct 2017 18:19:35 GMT

I'm curious what others out there are doing for user identification for systems that don't integrate with AD?

My understanding for Mac OSX was that some are popping up a GlobalProtect client login that requires them to enter their domain credentials to continue but then just uses it for ID purposes and does not establish a tunnel. I was curious how you'd enforce the sign-in?

There also sounds like there is going to be a strong push for *nix operating systems on the campus for research purposes. That seems like it will be even more problematic than the OSX. With no GlobalProtect client, the only thing I can think of would be captive portal. I hesitate to apply a captive portal to an entire network since there will likely be domain joined PCs on the same network that wouldn't need it (unless I can configure an order so the Captive Portal doesn't appear if they've already got User ID from AD).

We may eventually look at a NAC solution like Cisco ISE to apply to our academic wired networks but that is a ways off yet and I'm not sure how much it will help with the operating systems mentioned above.

Re: User-ID for Non-AD Operating Systems?

Raido_Rattameister — Mon, 02 Oct 2017 21:42:19 GMT

GlobalProtect does not need to pop up credential window every time - it makes sense to allow users to save credentials.

Inside organisation just for UserID, outside for tunnel.

In security policy you allow unauthenticated users only to authenticate and access to internal resources only for specific groups (it means UserID has been validated).

GlobalProtect runs fine with Cisco Anyconnect client, IOS and Android built in VPN clients and also with Linux if you enable X-auth on GlobalProtect Gateeway config.

Just few things to keep in mind with third party clients:

https://live.paloaltonetworks.com/t5/Configuration-Articles/Split-Tunneling-for-VPNC-Client-on-Linux-Distributions/ta-p/57244

Re: User-ID for Non-AD Operating Systems?

jsalmans — Tue, 03 Oct 2017 13:36:25 GMT

Hi @Raido_Rattameister,

I probably should have clarified that at least some of these are lab computers which means different users will be getting up and sitting down at them all of the time. It is quite possible that they'll be using the same computer user account since these devices won't be joined to the domain. In that case, I'll probably not want them to be able to save credentials.

That would just be for Mac OSX anyways since, to my knowledge, there isn't a GP client for *nix systems like Ubuntu.

Thanks!

Re: User-ID for Non-AD Operating Systems?

Raido_Rattameister — Wed, 04 Oct 2017 04:13:31 GMT

In this case I would go with Captive Portal.

Captive Portal is shown only to users when UserID is unknown so no issue with domain joined PCs (as always test your configuration with few test machines before you enable for whole zone/subnet).

If multiple users are using same computers then you would need to choose either short cache lifetime (captive portal is presented to users ofen as maybe user has been changed) or implement logout page.

I have not seen Captive Portal logoff page but it should not be hard to create one with combination of logoff page address in custom URL category and response page that executes user logoff API call if script on response page finds URL category to match this custom logoff URL category.

Re: User-ID for Non-AD Operating Systems?

jsalmans — Wed, 04 Oct 2017 13:32:58 GMT

Thanks @Raido_Rattameister

I suspected captive portal would be the way to go wasn't sure how to go about implementing. This gave me some ideas.

I also found this concerning the logoff if anyone is interested:

https://www.theinsecurewire.com/2016/10/10/palo-alto-api-captive-portal-logout/