How can I implement in the Global Protect confuguration the use of client certificate and LDAP authentication as two factor authentication only for some user (or a user group) ? We had only rolled out private certificates from our PKI for some user that has access to sensitive services and these user should use their certificate as additional authentication for the global protect portal/gateway. All other user should able to connect without client certificate. How can I implent these scenario?
I only found this in the Global Protect portal/gateway configuration valid for all clients that connect.
Certificate authentication is global to all users. you can have either just certificate auth, just ldap auth or both cert and ldap but
you cannot have both cert only and cert plus ldap on the same portal/gateway.
you could just use certificate authentication on the portal and then depending on the user group you could issue a different gateway, one with cert auth and one with ldap auth.
you will need additional license for multiple gateways.
if you only need this for access to restricted services then just use a security policy to only allow access to those needed services.
Sure ! I have security policies that only allow the access to those people. But thats not the problem. The problem is that only a Username/password for authentication is not save enough for external access to the services. And I don't want to roll out hundred of private certificates for people that do not need this for access to non-sensitive services. For this scenario it would be helpful to have the additional certificate authorization only for restricted user.
sure I understand.
what you are trying to configure is not possible on the same portal or gateway.
Do you have a gateway license?
Or, could you have a different portals for the different users?
Actually we don't have gateway license.
And yes, I also thought about a different portal for this users but for this I need to add a second IP-address to the interface, is it right ?
yes it would be best to add second IP address but you may be able to configure a new portal and gateway on a loopback address. (so 2 portals on same interface but on different ports)
I have used it, it works well but i have never used it alongside an existing portal/gateway but should work.
here is a link but just search web for globalprotect loopback.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!