This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Force Authentication Policy (MFA) for known users (user-id agent)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Force Authentication Policy (MFA) for known users (user-id agent)

Sly_Cooper
L4 Transporter

‎02-10-2021 11:59 AM

Hi,

 

I had configured Authentication policy for one of the environments and everything worked fine as expected. While replicating similar setup for a different environment, the Authentication policy was not working. After some troubleshooting, I observed that if the firewall has user to ip mapping generated via user-id agents (type UIA), it does not trigger Authentication policy (MFA, Type SSO). I confirmed the theory by doing multiple test with and without user-id agent config. How can I enforce Authentication Policy for already known user? I do not to remove the user-id agent config for the vsys as this environment is just a subset of the environments covered (same zone). I want users to perform MFA before accessing certain resources and not provide access based on user-id mapping (active directory logs).

 

I am running PAN-OS 9.0.x. Thanks in advance.

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎02-10-2021 02:29 PM

@Sly_Cooper,

Can you post how you've actually configured the authentication rulebase entry? Sounds like it's simply been configured in a way to alert on unknown users, which would be standard from an authentication policy standpoint but not what you want in this case. 

0 Likes Likes

Sly_Cooper
L4 Transporter
In response to BPry

‎02-11-2021 07:36 AM

@BPry

- Okta SAML profile (Imported)

- Authentication profile using the Okta SAML profile

- Captive portal using Okta SAML profile (redirect mode)

- Authentication policy, trust -> untrust -> http, https, tcp/3389 services -> default-web-form

- Security policy allowing required traffic

 

I also tried using a custom authentication object by cloning default-web-form and configured it to use Okta SAML authentication profile, and using it in the authentication policy.

 

The issue is not with the authentication policy. If I remove user-id agents from the vsys, the firewall does not have user to ip mapping and the authentication works as expected. The authentication is not triggered when the user is already known via user-id agents. It does not trigger network MFA. I hope this explanation helps.

 

 

0 Likes Likes
  • 2018 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks