This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Exclude account(s) from authentication?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Exclude account(s) from authentication?

OGMaverick
L3 Networker

‎01-08-2019 04:51 AM

I know there is the allow list, but what about an exclude?  We use Captive Portal for BYOD and have thousands of accounts we want to allow, but exclude our double digit generic accounts from being able to log in.  What's the best way to achieve this?

0 Likes Likes
5 REPLIES 5

BPry
Cyber Elite
Cyber Elite

‎01-08-2019 12:37 PM

@OGMaverick,

So I would generally create a new AD group for something like this, and then simply deny the group associated with the accounts that you don't want to provide access to. 

0 Likes Likes

OGMaverick
L3 Networker
In response to BPry

‎01-09-2019 09:31 AM

That is what we'd like to do, but we only see the option to allow a group/accounts.

0 Likes Likes

LukeBullimore
L5 Sessionator
In response to OGMaverick

‎01-10-2019 04:39 AM

Hey @OGMaverick

 

Under the advanced tab of an authentication profile (Device -> Authentication Profile), you can allow only certain users or groups from authenticating against that authentication profile via the "allow list".

 

You would do this change against the authentication profile that is tied to your captive portal.

 

Let me know if this helps.

 

Thanks,

Luke.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎01-10-2019 10:30 AM

@OGMaverick,

SO @LukeBullimore gives a good solution, but even if you don't want to mess around with the Auth Profile you can do the following. 

 

 You're going to get a proper user-id mapping with Captive Portal ya, so why wouldn't you make 2 security policies. 

1) Denies the generic accounts if coming from the BYOD IP range from accessing anything. 

2) Allow known-user on the rest of the policies. If they have been auth'd then good to go, otherwise the generic accounts hit the first rule and the traffic is denied. 

 

 

0 Likes Likes

OGMaverick
L3 Networker
In response to BPry

‎01-11-2019 06:20 AM - edited ‎01-11-2019 06:22 AM

@LukeBullimore I believe that is the opposite of what we'd like to do.  There are many many groups and users to be allowed and only a few we'd like denied from logging into captive portal, so a deny option would be best instead of an allow.

 

@BPry We do currently have a security policy to deny all traffic if they are coming from the captive portal network + match one of the generic user accounts.  We'd much rather prefer them not be able to log in with the user at all on the captive portal, as they would now have to wait 24 hours to be re-prompted for creds or have us manually flush them so they can log in with the proper accounts.

0 Likes Likes
  • 2594 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks