VPN SSL - Verification of a login belonging to a AD group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN SSL - Verification of a login belonging to a AD group

L1 Bithead

Hi support,

I have a question regarding the authentification of users through the VPN SSL.

Here is the situation:

Login of the SSL VPN user: AdminLogin
Password of the SSL VPN user: AdminPass
SSL VPN name: AdminSSLVPN
Authentication Profile associated with AdminSSLVPN: AdminAuthProfil

AdminAuthProfil authentication method: Radius server
AdminAuthProfil allow list: DOMAIN\admin (it's a AD group obtained by the user ID agent). AdminLogin is a member of the DOMAIN\admin group.


When the login is submitted to the PAN, i would like to know how the verification of the belonging  of AdminLogin to DOMAIN\admin group is done. When a user is usually presented to the AD, the form of  the login is the following "DOMAIN\login". As the form of the login is  not the same in the AD and when a user log on to the SSL VPN how does it  works ?


When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin. Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).


Thank you in advance.

Best regards

7 REPLIES 7

L3 Networker

if your RADIUS profile has the domain field correctly configured with the domain name then the PA firewall will prepend the DOMAIN\ portion of the login when doing the RADIUS authentication process.

Hi,

My question was not concerning the stage of the authentification with the RADIUS but the stage after (authorisation).

Let's take the precedent exemple to explain our interrogation.

From our understanding of the PAN when a user wants to connect to the SSL VPN there are several steps:

  • The user connect to the url of the VPN SSL
  • Submit his login and password
  • The radius server is first solicited for the authentication stage. The login and password are submitted from the PAN to the Radius server. The Radius then check if the password match for the login. Then is everything is OK the client is authenticated.
  • After that. There is the stage of the authorisation. The allow list which is associated to the VPN SSL (the user is connected on) is checked. The PAN verify if the login belongs to a group wich is specified in the allow list. This permit after to mount the SSL VPN for that user.

Regarding that. The authentication profil (AdminAuthProfil) for the SSL VPN is configured like this this:

  • Authentication method: RADIUS
  • Allow list: AD Groups taken from the User-ID agent. In the allow list we have DOMAIN\admin.

The question is (still regarding our exemple) :

When user connects to the SSL VPN the login that was submitted was AdminLogin and not DOMAIN\AdminLogin.

So when it's the turn of the authorisation stage. When AdminLogin connect to the SSL VPN, The PAN will check for the presence of AdminLogin in the group DOMAIN\admin regarding the "allow list". Or it will fail because the login is not presented like the AD form (DOMAIN\AdminLogin).

Thank you in advance.

Best regards,


you need to be running Pan Agent to retrieve the user/group mappings from your AD environment.

The login will not fail. The system will use the domain string stored with the auth profile to infer the users domain (assuming they have not entered a fully qualified username). This will then map to the groups retrieved from the User Identification Agent and be matched in either the allow list in an auth profile or in security rules based on group.

Mike

Message was edited by: mike EDIT: fixed a missing "not" in the comment about fully qualified username.

Ok mike.

So if i reformulate your answer.

If in my allow list, I have the following group: NOVIDYS\tech. And in the AD, Bob belongs to NOVIDYS.

When Bob want to connect to the SSL VPN he only submit Bob. Then the PAN append NOVIDYS to Bob ("NOVIDYS\Bob") and check if he belongs to NOVIDYS\tech (wich is in the allow list) regarding the information the Pan-agent gave to the PAN.

Best regards,

That's correct.

Mike

L0 Member

But how to verify to which of the groups (from the firewall point of view) belongs the user being logged in?

Is there a CLI command like "show to which group belongs the user" ?

  • 4349 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!