01-08-2018 03:08 PM
Migrating a Cisco fw to a Palo Alto and the Cisco has the ability to authenticate users to external Radius for FTP transfers based upon policy rules - the end user simply gets a user name and pass prompt which works across all platforms and can be scripted for automation.
I know the Palo Alto has the ability to auth requests that are web based with Captive Portal in conjunction with Global Protect Client installed on the end users device, but this requires an install of the GP Client and user response. Given the high number of users and the various ways they have implemented FTP i.e. mix of remote servers running scripts 24 x 7 along with different system OS's etc.. utilizing the GP Client is not an option.
Is there a way to authenticate services other than Web such as Telnet and FTP without using the GP Client?
I've tried to configure authentication for FTP utilizing an auththentication policy and local user - but it seem the PA FW sends a udp packet to the source on port 4501 which I'm assuming is to determine if the GP client is present.
Was wondering if anyone has found a solultion or has any feedback.
Thanks!
01-09-2018 12:08 AM
Hi @Juan_R
GlobalProtect is not required for captive portal to work, it works as a standalone User Identification method. (it's not really 'authentication' as a single logon will simply register a user-ip mapping which can then be used in security policies for any application)
There is no mechanism to directly inject authentication for FTP, as we don't do that for any application (CP authenticates the user and http is simply a convenient transport method, but after having logged on)
The emphasis is User Identification (and grant access based on username or group membership), rather than authentication: Getting Started: User-ID
If you rely on scripts, you could leverage the API to either script a User-ID mapping or populate a dynamic address group
hope this helps
10-02-2018 01:27 PM
Juan,
As you stated there is a way you can create an Authentication Policy and list a destination of Any for port 21 service aka FTP. This is supposed to prompt the GlobalProtect client over udp 4501 like you mentioned. The only way you can do the prompt without the GP client is to be using an HTTP or HTTPS website capable of doing a transparent or redirect to the captive portal.
I did beta testing of this on 8.0.0 with GlobalProtect for drive mappings or RDP and just a Captive Portal for a web site. It was successful.
I however am trying to set this up for access restrictions to our datacenter by VPN users to a particular server before they can map a drive to that server. I am unsuccessful at this point and have a ticket open with TAC. In fact, now RADIUS has broken to Okta so I'm fixing that first. What I do see is that there is a UDP packet sourced from the protected resource and the GlobalProtect client is not picking up the packets.
If you decide to implement this and have success please post a comment! FYI you will need at least 8.0.13 or 8.1.3 due to a TLS 1.2 requirement bug in the firewall if using Okta MFA.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
