12-04-2019 01:17 AM
Hi,
I would like to accomplish the following I have an always on VPN configured to use user-id password at logon.
When the user is on one of our remote sites with know public IP's I want to use only LDAP in all other situation when he is external I want RADIUS(MFA). Can I make an authentication profile and link it to source IP?
Kind regards,
Frederik
12-04-2019 02:25 AM
Hi Frederik,
We can't link an auth profile based on source IP. You could just use radius (MFA) at the sites you want and ldap at the one site you need as the auth profile on that sites gateway (assuming all sites have a gateway, with one central portal issuing the list of gateways that have ldap or radius (mfa) as the auth profile) . By default they will try connect to the lowest average ping reply from each gateway.
We have regions we can use, but can only specify different countries as priorities, we can't use custom regions in gateway selection priorities.
cheers
Rob
12-04-2019 04:29 AM
Rob, Hi.
are you sure re the custom regions... it seems to work for me in Gateway priorities, albeit you cannot use it very well with any other gateways that have the "Any" option set.
Perhaps i have missed something ... can you reference any docs on this as the inbuilt help is vague...
Mick
12-04-2019 04:36 AM - edited 12-04-2019 04:46 AM
HI Mick,
In Panorama creating a shared custom region in a device group, doesn't reflect that option in a template gateway on the same device. Tried it with everything up to a shared object and over-riding stack. Also added in long and latitude as a shot in the dark.
The object I created could only be used in policies in any device group (once shared)
May be specific to the version running and need to go to the beta forum,
But may be common among all versions on panorama, re: can't select custom region in priority list for a gateway.
If can do it on the device should be able to have option on panorama,
cheers
Rob
12-04-2019 04:43 AM - edited 12-04-2019 04:47 AM
Ok, thanks for the info... thought i was going mad!!!!
it works for me on Panorama but I only use it for "Policy and Objects". I do not use "Device and Network Templates".
so for me the "Portal\Agent\Config is applied locally to the firewall.
This must be the difference...
Edit...
Just seen your comment "If can do it on the device should be able to have option on panorama".
that would be my expectation but who knows in the world of PAN.
Mick.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
