topic Re: How to limit global protect for specific android/ios users? in General Topics

How to limit global protect for specific android/ios users?

SThatipelly — Mon, 18 Jun 2018 16:20:18 GMT

I have an interesting scenario. We have windows users accessing global protect. I am looking to buy gateway license to enable a set of users(10) out of 400 users to use android/iphone to connect to vpn. We have IBM MaaS360 MDM installed on phone to collect mobile attributes. Is there a way I can enforce a policy to limit specific users to use mobile phones?

Your help is greatly appreciated. TIA

Re: How to limit global protect for specific android/ios users?

BPry — Mon, 18 Jun 2018 16:37:51 GMT

@SThatipelly,

There is actually a few different places that you could do something like this.

1) You could build out a special Authentication Profile specific to a group that is allowed to login via mobile devices and set the GlobalProtect Portal 'Authentication' Client Auth settings to include an entry that specifically lists the OS as [ Android iOS WindowsUWP ] and limit the other Client Auth settings specific to [ Browser Linux Mac ] and any user not included in the new profile simply couldn't auth if they attempted to utilize a mobile client.

This option would limit the Auth from a Portal perspective.

2) You could do the exact same thing but from the Gateway Auth page.

You could take it a step further and utilize a HIP check and the Agent Client Settings but that gets messy and isn't really required if you do either of the two options above.

Re: How to limit global protect for specific android/ios users?

LukeBullimore — Mon, 18 Jun 2018 16:38:01 GMT

Hi,

a) There are two ways you could do this, limit the OS in the portal agent configs section

b) with GP gateway license you can enforce policy upon HIP objects. one HIP object is moible device model

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/host-information/configure-hip-based-policy-enforcement

Thanks,

Luke.

Re: How to limit global protect for specific android/ios users?

Remo — Mon, 18 Jun 2018 17:53:14 GMT

@LukeBullimore wrote:
Hi,

a) There are two ways you could do this, limit the OS in the portal agent configs section

@SThatipelly

This probably is the easiest/best way. Here you could specify a usergroup, so only users of that usergroup receive the configuration for Android/iOS devices. Other users will be able to login to the portal actually but cannot connect as they will not receive the required configuration.

But if you already have an MDM, you don't really need the Gateway license. With the MDM for example you could deploy a client certificate to the specific devices and so only these devices will be able to connect. This does not require the gateway license as you would use the integrated VPN clients on the mobile devices.

Re: How to limit global protect for specific android/ios users?

SThatipelly — Mon, 18 Jun 2018 20:49:57 GMT

@BPry Thank you so much for your suggestion. We have users authentication against our RADIUS server which utilizes one-time-password. Doing this will require me to configure other auth method(preferably local) but this is not what my organisation is looking for. I am little confused at this point.

Re: How to limit global protect for specific android/ios users?

SThatipelly — Mon, 18 Jun 2018 20:51:52 GMT

@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info.

Re: How to limit global protect for specific android/ios users?

SThatipelly — Mon, 18 Jun 2018 20:55:34 GMT

@Remo Your suggestion boils down to authenticating GP users based on client certificates? I dodnot want to make any kind of changes to exisiting windows users and add specific mobile users to exisiting gateway and portal. will this be addressed? Please correct me if I am wrong.

Thanks.

Re: How to limit global protect for specific android/ios users?

Remo — Mon, 18 Jun 2018 21:20:39 GMT

You're right this "little" detail was missing in my post. But you could solve this with a dedicated global protect gateway for the iOS/Android devices.

Re: How to limit global protect for specific android/ios users?

LukeBullimore — Tue, 19 Jun 2018 08:32:37 GMT

Hi @SThatipelly

@SThatipelly wrote:
@LukeBullimoreShouldn't I need a MDM to get the mobile attributes? We have a cloud based MDM server and unsure if the vendor provides HIP info.

No you don't. The GlobalProtect App that is run on the mobile device is capable of pulling this information - so provided you have the Gateway License you can make full use of this functionality.

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/globalprotect/objects-globalprotect-hip-objects

Thanks,

Luke.

Re: How to limit global protect for specific android/ios users?

SThatipelly — Tue, 19 Jun 2018 12:30:33 GMT

@LukeBullimore I had gone through that document before and found this little note:

To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the AirWatch MDM server.

This is what concerning me.