https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248601#M70714 <P>I am trying to configure always-on with&nbsp;LDAP authentication for my internal users, meaning my users should connect to the network with their AD creds as soon as they go outside. At the same time, my contractors should use RADIUS for on-demand.</P> Sat, 02 Feb 2019 17:53:13 GMT SThatipelly 2019-02-02T17:53:13Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248458#M70658 <P>I have external contractors connecting to my GP Portal in an on-demand connection setup.</P><P>Is it possible to enable 'always-on' VPN on same portal and gateway pair alongside with on-demand?</P><P>&nbsp;</P><P>thanks.</P> Fri, 01 Feb 2019 13:43:55 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248458#M70658 SThatipelly 2019-02-01T13:43:55Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248494#M70667 <P>Yes it is, i have several options on the same portal, some are on demand, some are always on and others include manual gateway selections and the option to disable GP. Just do it by users or users group.</P><P>&nbsp;</P><P>at the very bottom of my list i have a default one.... this may be best to use for anybody who connects but put your configs for users and groups above the default as they will use the first that applies.</P><P>&nbsp;</P><P>post again if you require any further infi...</P> Fri, 01 Feb 2019 16:54:16 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248494#M70667 Mick_Ball 2019-02-01T16:54:16Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248591#M70710 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>Thank you so much for your response.</P><P>I have a RADIUS authentication method setup for contractors today for on-demand. I can't think of having my internal users using always-on without having to go through RADIUS authentication at the same time my contractors using RADIUS.</P><P>can you please provide me any ideas how to accomplish this?</P><P>&nbsp;</P><P>thanks.</P> Sat, 02 Feb 2019 17:25:13 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248591#M70710 SThatipelly 2019-02-02T17:25:13Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248599#M70712 <P>Sorry&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>, i dont understand what you are asking,&nbsp;</P><P>I understand that your contractors are on demand with radius but not sure what you need for internal users.</P> Sat, 02 Feb 2019 17:32:57 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248599#M70712 Mick_Ball 2019-02-02T17:32:57Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248600#M70713 <P>What authentication method do your internal users have.</P> Sat, 02 Feb 2019 17:38:08 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248600#M70713 Mick_Ball 2019-02-02T17:38:08Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248601#M70714 <P>I am trying to configure always-on with&nbsp;LDAP authentication for my internal users, meaning my users should connect to the network with their AD creds as soon as they go outside. At the same time, my contractors should use RADIUS for on-demand.</P> Sat, 02 Feb 2019 17:53:13 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248601#M70714 SThatipelly 2019-02-02T17:53:13Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248603#M70716 <P>Yes you can do this but i have never tried it.</P><P>&nbsp;</P><P>you need to set up an authentication sequence.</P><P>&nbsp;</P><P>if you have more internal users than contractors put ldap first, if more contractors than internal users then radius first.</P><P>&nbsp;</P><P>then place this in the authentication section of the portal.</P><P>&nbsp;</P><P>then on the agent section... &nbsp; add a config called contractors, add each of the contractors login id. Set the app here to on demand</P><P>then add a config called default. Leave the users blank, set this app to always on, plus any other options needed.</P><P>&nbsp;</P><P>for both , set authentication overide, also allow this on the gateway. Then they can both share the same gateway also.</P><P>&nbsp;</P><P>do as much as you can, if you get stuck i will go into greater detail but get the authentication sequence working first.</P> Sat, 02 Feb 2019 18:12:09 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248603#M70716 Mick_Ball 2019-02-02T18:12:09Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248604#M70717 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>Sure. But, before doing it, I justhave&nbsp; couple of final questions(As it is on production firewall, I'm trying to gather as much info as I can). My cuurent setup has RADIUS for gateway authentication. As I am doing the auth override on portal, should I be least worried about this tab on gateway?</P><P>Am I correct in assuming that keeping the current config on GAteway as is but&nbsp;adding new&nbsp;"client settings" config(Diff pool for internal users) will work?</P><P>&nbsp;</P><P>thank you so much.</P> Sat, 02 Feb 2019 18:49:32 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248604#M70717 SThatipelly 2019-02-02T18:49:32Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248612#M70719 <P>Im not sure what you are asking, if it helps... you can have auth overide and radius on gateway. If the user does not have auth overide cookie then it will fall back to radius.</P><P>&nbsp;</P><P>if you cannot afford to mess up your config, why not set up a loopback address and test on that.</P> Sat, 02 Feb 2019 19:56:40 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248612#M70719 Mick_Ball 2019-02-02T19:56:40Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248613#M70720 <P>Also... you dont have to use auth overide.</P><P>&nbsp;</P><P>if you have auth sequence in portal then just have the same auth sequence in gateway.</P><P>&nbsp;</P><P>i just prefer overide... especially for OTP.</P> Sat, 02 Feb 2019 20:07:34 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248613#M70720 Mick_Ball 2019-02-02T20:07:34Z https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248728#M70752 <P>thank you. I'll try it and keep you updated with the result.</P> Mon, 04 Feb 2019 14:26:39 GMT https://live.paloaltonetworks.com/t5/general-topics/2-different-remote-vpn-connect-methods-on-a-single-portal-amp/m-p/248728#M70752 SThatipelly 2019-02-04T14:26:39Z