01-28-2022 08:38 AM
Is possible to use Authentication Policies for non-HTTP traffic (using the Global Protect client), and specifying LDAP authentication? All examples I have found are related to MFA, and I would like to know if it is possible to authenticate RA users using the Local Database, and then add an authentication policy (for specific destinations) using LDAP authentication just for testing purposes. Thanks.
01-29-2022 09:33 AM
There are two separate topics you are referring to, as I understood your message. I shall break them down.
1) Is it possible to have GP users authenticate using the Local Database ? YES.
It does make sense that a user from the internet, can authenticate, using a authentication profile, that is tied to a local user datbased.
2) And then add an auth policy using LDAP authentication? YES
Now, here is where it will get a little tricky.
Authentication policies can authenticate using 2 different mechanism.
a) Browser Challenge (which means that Captive Portal is configured, and the browser (layer 6 of the OSI) is requested to log at the currently logged on Windows machine, and forward that login user info. This allow us to transparently authenticate the user, using LDAP.
b) Web Form (Captive Portal is configured, and a response page/splash screen) shows on the users browser window and requests that the user enter in their user/password credentials. This Web Form can then authenticate using LDAP.
Those are the only two choices for an authentication policy.
What other questions can we answer?
01-30-2022 12:56 PM - edited 01-30-2022 12:57 PM
Hi, The reason because I was asking about this topic, is because I was trying to make this work without success. I was struggling to make this works until I have realized that it is necessary to open the port UDP 4501 (or the port we specify in Portal -> App) on the Windows device where the GP is installed. Now it is working fine after I have opened the port, and I am using my authentication policies for non-HTTP traffic, and forcing the users to authenticate to LDAP when trying to access specific resources.
On the other hand, I suppose that opening the port in the client is strickly necessary and there is not another way to make this work without it, right?
01-31-2022 12:53 PM
As stated in the original response, there are only those 2 methods available to the solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!