Global Protect with RSA SecurID and Group Mapping for Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect with RSA SecurID and Group Mapping for Security Policy

L3 Networker

I have setup Global Protect with RSA SecurID authentication.  I would like to use the Active Directory groups of these users in my security policy to then allow or deny access to resources based upon their membership. 

 

I have configured the group mapping settings and the firewall is pulling in the AD groups.  However, the policies I have created are not being matched.  It appears since the authentication is via RSA it is not associating the user with the AD groups it is pulling via the group mapping since the user is not associated with the domain.

 

I found this article which is relating:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQdCAK but it only seems to be working for the initial authentication, not for actual security policy access post authentication.

 

IIs there a way to get this working or is there a better method for restricting resource access based upon group membership when authenticating via RADIUS to RSA SecurID?

1 accepted solution

Accepted Solutions

L7 Applicator

I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".

 

The firewall will then see user fred smith as domain\fred smith.

 

the only additional requirement may be to tell radius server to ignore or accept any domain.

 

View solution in original post

6 REPLIES 6

L7 Applicator

I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".

 

The firewall will then see user fred smith as domain\fred smith.

 

the only additional requirement may be to tell radius server to ignore or accept any domain.

 

L1 Bithead

I recently utilised RSA to authenticate GLobalProtect users. I leveraged ISE/RADIUS to do this and found it fairly straightforward with the RADIUS sending back group mappings to the Palos in the access-accept. These group mapping sent from the radius have to match with the group mapping configured for the globalprotect profile. 

 

My struggle was more related to getting the out of sync, new pin messages to present but this came down to issues between ISE and the PAs.

 

 

 

 

 

 

Thanks for the reply.  Did you then use the groups returned in your security policies?  Or did you have multiple portals/gateways handing out different IP address ranges authenticating different user groups?  Or did you simply allow/deny access based upon group membership?

So I did use the groups in security policies but that is more a component of UserID rather than the setup for the VPN access. My deployment utilises a single portal and gateway but has multiple agent configurations that are mapped to the returned groups. In this way I am able to provide different split tunnel settings, agent settings and so forth

Thanks again for your reply.

Can you help me better understand what you mean by it being more a component of UserID?

 

I understand the concept of mapping users to different agent configurations based upon groups - but i dont know how to use the groups of an authenticated RSA user for this purpose because RSA doesn't appear return all of the users groups.  This seems pretty straightforward using straight AD, or using local groups in the FW..  But I am not sure how to do it when authenticating against RSA.

 

So, in your configuration, in which identity source are the groups configured?  If AD, could you help me understand how you configured this?  If somewhere else, can you explain how you configured the groups and got it all working?

 

Thanks!


@Mick_Ball wrote:

I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".

 

The firewall will then see user fred smith as domain\fred smith.

 

the only additional requirement may be to tell radius server to ignore or accept any domain.

 


Foir some reason I didn't actually try at first this because you seemed to be speculating about the solution; but it was indeed the correct answer.

After adding the domain prepend, the group mapping function started working and I am now able to use AD groups for RSA authenticated users in my security policy!

No changes to RSA RADIUS server needed.

Thanks!

  • 1 accepted solution
  • 7231 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!