Authentication Policy for non-HTTP traffic - Remote Access users.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication Policy for non-HTTP traffic - Remote Access users.

L1 Bithead

Is possible to use Authentication Policies for non-HTTP traffic (using the Global Protect client), and specifying LDAP authentication? All examples I have found are related to MFA, and I would like to know if it is possible to authenticate RA users using the Local Database, and then add an authentication policy (for specific destinations) using LDAP authentication just for testing purposes. Thanks.

3 REPLIES 3

Cyber Elite
Cyber Elite

Good Day.


There are two separate topics you are referring to, as I understood your message.  I shall break them down.

1) Is it possible to have GP users authenticate using the Local Database ?  YES. 
It does make sense that a user from the internet, can authenticate, using a authentication profile, that is tied to a local user datbased.

 

2) And then add an auth policy using LDAP authentication? YES

Now, here is where it will get a little tricky.
Authentication policies can authenticate using 2 different mechanism. 

 

a) Browser Challenge (which means that Captive Portal is configured, and the browser (layer 6 of the OSI) is requested to log at the currently logged on Windows machine, and forward that login user info.  This allow us to transparently authenticate the user, using LDAP.

 

b) Web Form (Captive Portal is configured, and a response page/splash screen) shows on the users browser window and requests that the user enter in their user/password credentials.  This Web Form can then authenticate using LDAP.

 

Those are the only two choices for an authentication policy.

 

What other questions can we answer?

Help the community: Like helpful comments and mark solutions

Hi, The reason because I was asking about this topic, is because I was trying to make this work without success. I was struggling to make this works until I have realized that it is necessary to open the port UDP 4501 (or the port we specify in Portal -> App) on the Windows device where the GP is installed. Now it is working fine after I have opened the port, and I am using my authentication policies for non-HTTP traffic, and forcing the users to authenticate to LDAP when trying to access specific resources. 

 

On the other hand, I suppose that opening the port in the client is strickly necessary and there is not another way to make this work without it, right? 

 

Thanks!

Hello again

 

As stated in the original response, there are only those 2 methods available to the solution.

 

Thank you.

Help the community: Like helpful comments and mark solutions
  • 2022 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!