topic Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources in General Topics

Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources

Someonesomeone — Wed, 02 Jun 2021 17:24:56 GMT

We have new requirements to require MFA for administrative access to just about everything and have to put into place in very short order.

“In addition to remote access, multi-factor authentication is required for the following, including such access provided to 3rd party service providers:

1 All internal & remote admin access to directory services (active directory, LDAP, etc.).

2 All internal & remote admin access to network backup environments.

3 All internal & remote admin access to network infrastructure (firewalls, routers, switches, etc.).

4 All internal & remote admin access to the organization’s endpoints/servers."

What I'm trying to do is described pretty well in the document linked below: try to access something, get prompted. Trying to do this with Azure AD. From what I understand, browser based applications can be done with captive portal and non browser based can be done with GlobalProtect app. Is that right? Trying to leverage our existing Azure MFA.

Configure GlobalProtect to Facilitate Multi-Factor Authenti... (paloaltonetworks.com)

Thanks,
Chris

Re: Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources

S.Cantwell — Sun, 06 Jun 2021 18:01:45 GMT

Correct

Looking at this info:

If a user session matches the Authentication policy, the type of application or service determines the user experience for notifications about the authentication challenge:

(
Windows or macOS endpoints only
)
Non-browser-based applications
—To facilitate MFA notifications for non-HTTP applications (such as Perforce) on Windows or macOS endpoints, a GlobalProtect app is required. When a session matches an Authentication policy rule, the firewall sends a UDP notification to the GlobalProtect app with an embedded URL link to the Authentication Portal page. The GlobalProtect app then displays this message as a pop up notification to the user.

Re: Using Authentication Policy and GlobalProtect with AAD SAML to prompt MFA authentication for Admin access to resources

Someonesomeone — Tue, 15 Jun 2021 17:48:43 GMT

Thank you for your reply, Steve! Stood up a GlobalProtect gateway. Got MFA auth for establishing GP connection, but still trying to get challenged for authentication based on authentication policy. Initially thought http and https was captive/authentication portal, but after read reading documents and in particular the passage you mentioned it referred to the authentication portal, which I'm now trying to stand up.

Should captive/authentication portal go on internal interface? I was planning on putting Internal GP gateway and thought that was going to go on internal interface, but maybe I need loopbacks or something so there is no conflict. Looking for best practices.

When I get Captive/Authentication Portal configured, i'll use whatever IP or dns address configure there and pair it up with the instructions here: Tutorial: Azure Active Directory integration with Palo Alto Networks Captive Portal | Microsoft Docs

Hopefully I'm on the right track. Thoughts?

Thanks,

Chris