Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Authtenticate non web services such as Telnet/FTP without Global Client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Authtenticate non web services such as Telnet/FTP without Global Client

L0 Member

Migrating a Cisco fw to a Palo Alto and the Cisco has the ability to authenticate users to external Radius  for FTP transfers based upon policy rules - the end user simply gets a user name and pass prompt which works across all platforms and can be scripted for automation.

 

I know the Palo Alto has the ability to auth requests that are web based with Captive Portal in conjunction with Global Protect Client installed on the end users device, but this requires an install of the GP Client and user response. Given the high number of users and the various ways they have implemented FTP i.e. mix of remote servers running scripts 24 x 7 along with different system OS's  etc.. utilizing the GP Client is not an option.

 

Is there a way to authenticate services other than Web such as Telnet and FTP without using the GP Client?

 

I've tried to configure authentication for FTP utilizing an auththentication policy and local user - but it seem the PA FW sends a udp packet to the source on port 4501 which I'm assuming is to determine if the GP client is present.

 

Was wondering if anyone has found a solultion or has any feedback.

 

Thanks!

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @Juan_R

 

GlobalProtect is not required for captive portal to work, it works as a standalone User Identification method. (it's not really 'authentication' as a single logon will simply register a user-ip mapping which can then be used in security policies for any application)

 

There is no mechanism to directly inject authentication for FTP, as we don't do that for any application (CP authenticates the user and http is simply a convenient transport method, but after having logged on)

 

The emphasis is User Identification (and grant access based on username or group membership), rather than authentication: Getting Started: User-ID

 

If you rely on scripts, you could leverage the API to either script a User-ID mapping or populate a dynamic address group

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

@Juan_R@reaper

Juan,

As you stated there is a way you can create an Authentication Policy and list a destination of Any for port 21 service aka FTP. This is supposed to prompt the GlobalProtect client over udp 4501 like you mentioned. The only way you can do the prompt without the GP client is to be using an HTTP or HTTPS website capable of doing a transparent or redirect to the captive portal.

 

I did beta testing of this on 8.0.0 with GlobalProtect for drive mappings or RDP and just a Captive Portal for a web site. It was successful.

I however am trying to set this up for access restrictions to our datacenter by VPN users to a particular server before they can map a drive to that server. I am unsuccessful at this point and have a ticket open with TAC. In fact, now RADIUS has broken to Okta so I'm fixing that first. What I do see is that there is a UDP packet sourced from the protected resource and the GlobalProtect client is not picking up the packets.

 

If you decide to implement this and have success please post a comment! FYI you will need at least 8.0.13 or 8.1.3 due to a TLS 1.2 requirement bug in the firewall if using Okta MFA.

  • 2332 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!