https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345373#M86324 <P>set up an authentication policy for 'known-user' which will trigger a new authentication window only if the user is already known through app-id</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-25_15-28-48.png" style="width: 848px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27498i0CA5A2C7E83F60A1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-08-25_15-28-48.png" alt="2020-08-25_15-28-48.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Aug 2020 13:31:27 GMT reaper 2020-08-25T13:31:27Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345074#M86286 <P>Here use case and wondering if this is feasible.</P><P>&nbsp;</P><P>1. User Bob is already authenticated and connected(tunnel VPN) to firewall A with GlobalProtect with his account "Bob".</P><P>2. User Bob need to access critical ressource behind the same firewall A with, however, his privilege account "Bob-Priv".&nbsp;</P><P>&nbsp;</P><P>Problem, its look like the authentication policy is never triggered because user Bob is already authenticated with account "Bob".&nbsp;&nbsp;</P><P>&nbsp;</P><P>Is there a way to achieve this ?&nbsp;</P> Sat, 22 Aug 2020 15:14:41 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345074#M86286 DLONGPRÉ 2020-08-22T15:14:41Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345373#M86324 <P>set up an authentication policy for 'known-user' which will trigger a new authentication window only if the user is already known through app-id</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-08-25_15-28-48.png" style="width: 848px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27498i0CA5A2C7E83F60A1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-08-25_15-28-48.png" alt="2020-08-25_15-28-48.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Aug 2020 13:31:27 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345373#M86324 reaper 2020-08-25T13:31:27Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345403#M86328 <P>It's not working.&nbsp;</P><P>&nbsp;</P><P>The user is never triggered with the captive portal auth page. I think, this is because the firewall is already aware of Bob account that came from User ID Agent. However, I want that auth rule is triggered &nbsp;to let user login with his priviledge account.&nbsp;</P> Tue, 25 Aug 2020 15:45:52 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345403#M86328 DLONGPRÉ 2020-08-25T15:45:52Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345409#M86329 <P>Is the rule matching the proper source zone/subnet, destination zone/subnet etc?</P><P>Have you tried setting set 'user' field to any?</P><P>&nbsp;</P><P>If that also fails, try 'select' and set 'bob' as the user that needs to authenticate</P> Tue, 25 Aug 2020 16:13:30 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345409#M86329 reaper 2020-08-25T16:13:30Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345850#M86400 <P>Okay, Captive Portal was not triggered because the destination was HTTPS, and SSL decryption is required for Captive Portal to "redirect" HTTPS traffic.&nbsp;</P><P>&nbsp;</P><P>Also, notice that UserID database is always updated with latest user account logged. &nbsp;That could cause problem in "big" environment where multiple accounts (normal, priviledge ..) are required to touch specific ressources. &nbsp;I think that dedicated firewall(s) or VSYS isolated from the "normal USERID Database" could be a solution to front specific secure environment, like critical database, PCI... etc. &nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Aug 2020 13:27:15 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345850#M86400 DLONGPRÉ 2020-08-28T13:27:15Z https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345896#M86411 <P>Hello,</P> <P>Just allow user Bob and then he must authenticate with Bob-Priv. Unless the resource is does not have an authentication method available?</P> <P>&nbsp;</P> <P>Regards,</P> Fri, 28 Aug 2020 20:49:32 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-policy-use-case/m-p/345896#M86411 OtakarKlier 2020-08-28T20:49:32Z