Best method to permit SAML auth and Radius for Globalprotect at the same time?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best method to permit SAML auth and Radius for Globalprotect at the same time?

L1 Bithead

Greetings all, I hope you can help me. 

I currently have Globalprotect set up on a single firewall - both portal and gateway.  We're using Radius for authentication, it is working well. 


We want to transition to SAML.  For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place. 


Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate.  I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting. 

 

mannix_0-1715099765068.png

 

I'd RATHER not re-ip everything.  I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?  

 

I don't THINK I do, if I simply specify the current gateway in the portal config. 

 

Thoughts?  Am I overcomplicating things?

 

Thanks!

 

 

Iain

5 REPLIES 5

Cyber Elite
Cyber Elite

If you move SAML to the top then SAML takes precedence because your OS type is "any".

 

You can't use both SAML and RADIUS on same portal/gateway at the same time for different groups of users.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Thanks very much!  

Can I use a different portal for initial auth, then continue with my current gateway?  

 

Iain

Cyber Elite
Cyber Elite

Yes you can.

Keep portal as is and set up new gateway.

Using user or group membership point some users to new gateway.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L6 Presenter

@mannix wrote:

Greetings all, I hope you can help me. 

I currently have Globalprotect set up on a single firewall - both portal and gateway.  We're using Radius for authentication, it is working well. 


We want to transition to SAML.  For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place. 


Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate.  I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting. 

 

mannix_0-1715099765068.png

 

I'd RATHER not re-ip everything.  I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?  

 

I don't THINK I do, if I simply specify the current gateway in the portal config. 

 

Thoughts?  Am I overcomplicating things?

 

Thanks!

 

 

Iain



We've recently switched to SAML auth for our GP, and we're told that if using SAML for auth that is the only auth mechanism that can be used.  So no matter how many mechanism you use in an auth profile if SAML is there only SAML will be used.

 

Not too sure how accurate that is, but that's what we were told from our SE.

What about the inverse - adding a portal, and within that portal, configure my existing external gateway?

 

I'm trying to create a situation where I can have test users authenticate with saml/Azure, without impacting our existing users. 

 

My thought was to create a second portal, with a different public IP/natted to a loopback.  Check "Generate cookie for authentication override" in the authentication portion of the portal config. 

 

That way, I can configure portal2 to use SAML, other users will be none the wiser. 

 

What am I missing?  I _THINK_ this will work.  

Thanks!

 

 

Iain

  • 1958 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!