Force Authentication Policy (MFA) for known users (user-id agent)

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force Authentication Policy (MFA) for known users (user-id agent)

L4 Transporter



I had configured Authentication policy for one of the environments and everything worked fine as expected. While replicating similar setup for a different environment, the Authentication policy was not working. After some troubleshooting, I observed that if the firewall has user to ip mapping generated via user-id agents (type UIA), it does not trigger Authentication policy (MFA, Type SSO). I confirmed the theory by doing multiple test with and without user-id agent config. How can I enforce Authentication Policy for already known user? I do not to remove the user-id agent config for the vsys as this environment is just a subset of the environments covered (same zone). I want users to perform MFA before accessing certain resources and not provide access based on user-id mapping (active directory logs).


I am running PAN-OS 9.0.x. Thanks in advance.


Cyber Elite
Cyber Elite


Can you post how you've actually configured the authentication rulebase entry? Sounds like it's simply been configured in a way to alert on unknown users, which would be standard from an authentication policy standpoint but not what you want in this case. 


- Okta SAML profile (Imported)

- Authentication profile using the Okta SAML profile

- Captive portal using Okta SAML profile (redirect mode)

- Authentication policy, trust -> untrust -> http, https, tcp/3389 services -> default-web-form

- Security policy allowing required traffic


I also tried using a custom authentication object by cloning default-web-form and configured it to use Okta SAML authentication profile, and using it in the authentication policy.


The issue is not with the authentication policy. If I remove user-id agents from the vsys, the firewall does not have user to ip mapping and the authentication works as expected. The authentication is not triggered when the user is already known via user-id agents. It does not trigger network MFA. I hope this explanation helps.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!