topic Test vlan network for rsa secureid in General Topics

Test vlan network for rsa secureid

cdcirexx — Mon, 11 Mar 2019 21:06:23 GMT

Hi all,

I have project where I need to have a test vlan in my pan820 that will intergrate with Secureid authentication manager 8.4, my plan is to have this test vlan separate from the inside network, and also from globalprotect, we will be putting pc's in this test network where when they login, it will trigger the mfa authentication. So what would be the needed process to get this working, I know I need to create a new test zone to tie it to the int, put an ip in it and then the part I'm not clear on is how to get it to trigger the mfa auth.

Any ideas or pointers would be great, thanks in advanced.

Re: Test vlan network for rsa secureid

reaper — Fri, 15 Mar 2019 13:00:29 GMT

Are you looking to implement this like .1x ? (pnac)

If that's the case that won't be possible (802.1x is not supported)

you could look into enabling captive portal and blocking all access for unknown users, forcing new visitors to open a web page first that redirects to a captive portal and requires authentication before access is granted

Re: Test vlan network for rsa secureid

cdcirexx — Fri, 15 Mar 2019 18:21:59 GMT

Hi Reaper, thanks for the reply, I looked up 801.1x pnac, it's similar, but there no guest access, it's all domain users that need to get mfa from the inside vlan that will use radius, Could I use captive portal along with radius for that inside vlan to authenticate domain users? Basically upper management wanted to see how these tokens work from an inside perspective before fully implementing.

Re: Test vlan network for rsa secureid

BPry — Fri, 15 Mar 2019 20:49:26 GMT

@cdcirexx,

Generally speaking the SecureID tokens aren't meant for securing network access; like to the point I've installed probably hundreds of installations and never had this come up. If your users are already logging into the domain, why would you add yet another layer to that? The MFA part comes in when they login to their desktop/laptop.

If you are looking to implement something like this I would do the following.

1) All of your security profiles should be configured for the zone with the source-user of 'known-user'. This means that as long as the user-id mapping is present the user will hit this policy. You can either read your domain controller logs as the user-id source or the RSA Radius server logs as a source, or even both.

2) An Authentication policy should be configured to catch any unknown users and direct them to a Captive Portal. You can use the built-in RSA Radius server as a auth source for the Captive Portal so the user is forced to enter their token if they don't have a current user-id mapping (or if the mapping ages out for example).

Re: Test vlan network for rsa secureid

cdcirexx — Fri, 15 Mar 2019 22:35:35 GMT

Thanks Bpry for the reply,

Yeah I've told management about the domain part already being secured, but this came up in our meetings cause were going through cyber security compliance right now and their worried of an audit that will come up about how we protect users identity inside of our network. So the idea of having an inside mfa came up. We will not use the token inside, we may use the secureid app, or even a thumbprint reader.

So for the userid mapping, I have that under our inside zone enabled, and I already have a radius server profile setup, I had our tokens fully setup for globalprotect when I started the rsa trial.

I'm went through this article when I setup our radius server, that looks like step 6 on your 2nd explanation, so I can setup a new production group that will trigger as unknown and will be redirected to the captive portal which points to the rsa auth manager server, then these domain users would go through the mfa process.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/enable-user-id#

I'll give this a try and we'll see how it works

thanks again