Global Protect 2-factor Auth & User-ID Mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect 2-factor Auth & User-ID Mapping

L3 Networker

Hi All,

I'm migrating from ASA to Palo Alto including user VPN access (AnyConnect).  The setup will be 2 factor authentication with LDAP/Kerberos (not sure which yet) for the portal and OTP via RADIUS for the gateway.

The current setup allows access lists to be applied via the vpn policy to each authenticated user group limiting their access to internal resources.

My thought is to be able to build security policies providing these same limits that are based on the appropriate AD group.  This would allow me to have a single GP gateway & pool but still provide the same granularity they have now.

My question is, does the user's AD username passthrough from the portal and mapped to their users GP IP even with RADIUS being used on the gateway?  I'm trying to avoid having to setup separate gateways with separate IP pools and having to base my security policies on the GP IP pools.

I'm looking for best practices way of configuring this.

Thanks for any suggestions.

1 REPLY 1

L3 Networker

Figured I'd reply with the answer just in case anyone else has the same question.

There's a post out there that discusses making sure to fill in the NetBIOS domain name in the 'domain' box in the authentication profile.  This applies not just to LDAP but to RADIUS.  When you fill this in you will get the DOMAIN\userid in the traffic log and security policies based on a domain security group work.

  • 2185 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!