Additional authentication for specific zone


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Not applicable

Additional authentication for specific zone

Hello everyone,

Is it possible to request an additional authentication for a specific zone with PAN-OS 5.0?

The requirement would be to have regular userauthenticated through regular ActiveDirectory/NTLM for regular zones. However for very sensitive zone, a Captive Portal would be requested with additional authentication requirements (e.g. RSA). Ideally the username would be kept (to avoid administrative overhead and to facilitate security monitoring). The session would then be open according to Captive Portal rules (e.g. for 30 minutes).

Do you think this is possible?

One way we thought it throug would be to use a virtualised context but this is still no clean solution as there would probably be some redundancies in log files and would certainly facilitate debugging as one part of the logs would be on one device, and the other part on another device.

What we are looking is really to "upgrade" user rights.

Thanks in advance!

L6 Presenter

One drawback with captive portal is that you must use a browser (well for obvious reasons =) to identify yourself even if the actual protocol being used might be different (like if you use FTP or such to access this restricted zone).

Also user-id in PA is global meaning (as I understand it) the PA device doesnt care on how it learned which user it is as long as it knows which user the srcip belongs to.

This can however be workaround if the user/pass identification is a different user in the AD compared to the user normally authenticated against the AD.

I mean regular access (which user-ids to allow) looks at AD\Users, while this enhanced security access look at AD\RestrictedUsers (where the useraccount in AD\Users is different from AD\RestrictedUsers) or for that matter from a different AD.

The problem here might be that regular access might be smartcard based where accessing your golden eggs suddently only needs a basic user/pass auth (even if the pass is OTP based like secureid or such). So in your case I guess you want first the regular access and only if this passes then add the restricted access (which use user/pass(OTP or such))?

Cant this be done in the AD itself?

Because then the PA would only have to look at the proper AD-group to grant access to the more sensitive areas.

Im thinking that a regular user first login with their smartcard or whatever. Then when they are logged in they can do a second auth to the AD using their OTP. The problem here might be that the PA currently only maps one user per ip. So as soon as the second useraccount (part of AD\RestrictedUsers) is authed the PA will no longer allow access to the regular services which checked for AD\Users. Or if this can be done at the loginpart of the workstation, if the user adds OTP info the user is identified for RestrictedUsers group otherwise it will just be identified for Users group.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!