https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385246#M90120 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/30703">@Sly_Cooper</a>,</P> <P>Can you post how you've actually configured the authentication rulebase entry? Sounds like it's simply been configured in a way to alert on unknown users, which would be standard from an authentication policy standpoint but not what you want in this case.&nbsp;</P> Wed, 10 Feb 2021 22:29:50 GMT BPry 2021-02-10T22:29:50Z https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385180#M90109 <P>Hi,</P><P>&nbsp;</P><P>I had configured Authentication policy for one of the environments and everything worked fine as expected. While replicating similar setup for a different environment, the Authentication policy was not working. After some troubleshooting, I observed that if the firewall has user to ip mapping generated via user-id agents (type UIA), it does not trigger Authentication policy (MFA, Type SSO). I confirmed the theory by doing multiple test with and without user-id agent config. How can I enforce Authentication Policy for already known user? I do not to remove the user-id agent config for the vsys as this environment is just a subset of the environments covered (same zone). I want users to perform MFA before accessing certain resources and not provide access based on user-id mapping (active directory logs).</P><P>&nbsp;</P><P>I am running PAN-OS 9.0.x. Thanks in advance.</P> Wed, 10 Feb 2021 19:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385180#M90109 Sly_Cooper 2021-02-10T19:59:43Z https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385246#M90120 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/30703">@Sly_Cooper</a>,</P> <P>Can you post how you've actually configured the authentication rulebase entry? Sounds like it's simply been configured in a way to alert on unknown users, which would be standard from an authentication policy standpoint but not what you want in this case.&nbsp;</P> Wed, 10 Feb 2021 22:29:50 GMT https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385246#M90120 BPry 2021-02-10T22:29:50Z https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385426#M90143 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>- Okta SAML profile (Imported)</P><P>- Authentication profile using the Okta SAML profile</P><P>- Captive portal using Okta SAML profile (redirect mode)</P><P>- Authentication policy, trust -&gt; untrust -&gt; http, https, tcp/3389 services -&gt; default-web-form</P><P>- Security policy allowing required traffic</P><P>&nbsp;</P><P>I also tried using a custom authentication object by cloning default-web-form and configured it to use Okta SAML authentication profile, and using it in the authentication policy.</P><P>&nbsp;</P><P>The issue is not with the authentication policy. If I remove user-id agents from the vsys, the firewall does not have user to ip mapping and the authentication works as expected. The authentication is not triggered when the user is already known via user-id agents. It does not trigger network MFA. I hope this explanation helps.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Feb 2021 15:36:55 GMT https://live.paloaltonetworks.com/t5/general-topics/force-authentication-policy-mfa-for-known-users-user-id-agent/m-p/385426#M90143 Sly_Cooper 2021-02-11T15:36:55Z