Global Protect : Authentication Profile based on source IP

Reply
Highlighted
L2 Linker

Global Protect : Authentication Profile based on source IP

Hi,

I would like to accomplish the following I have an always on VPN configured to use user-id password at logon.

When the user is on one of our remote sites with know public IP's I want to use only LDAP in all other situation when he is external I want RADIUS(MFA).  Can I make an authentication profile and link it to source IP?

 

 

Kind regards,

 

Frederik

 

Highlighted
L2 Linker

Hi Frederik, 

 

We can't link an auth profile based on source IP. You could just use radius (MFA) at the sites you want and ldap at the one site you need as the auth profile on that sites gateway (assuming all sites have a gateway, with one central portal issuing the list of gateways that have ldap or radius (mfa) as the auth profile) . By default they will try connect to the lowest average ping reply from each gateway. 

We have regions we can use, but can only specify different countries as priorities, we can't use custom regions in gateway selection priorities. 

 

cheers

 

Rob  

diff-gateways.PNGmulti-internal.PNGmulti-config.PNG

 

 

Highlighted
L7 Applicator

@rdonohoe23 

Rob, Hi.

are you sure re the custom regions...   it seems to work for me in Gateway priorities, albeit you cannot use it very well with any other gateways that have the "Any" option set.

 

Perhaps i have missed something ... can you reference any docs on this as the inbuilt help is vague...

 

Mick

Highlighted
L2 Linker

HI Mick, 

In Panorama creating a shared custom region in a device group, doesn't reflect that option in a template gateway on the same device. Tried it with everything up to a shared object and over-riding stack. Also added in long and latitude as a shot in the dark. 

The object I created could only be used in policies in any device group (once shared)

May be specific to the version running and need to go to the beta forum,

But may be common among all versions on panorama, re: can't select custom region in priority list for a gateway. 

If can do it on the device should be able to have option on panorama, 

cheers

 

Rob 

 

custom-region.PNGregion-list.PNG

Highlighted
L7 Applicator

@rdonohoe23 

Ok, thanks for the info... thought i was going mad!!!!

 

it works for me on Panorama but I only use it for "Policy and Objects".  I do not use "Device and Network Templates".

 

so for me the "Portal\Agent\Config is applied locally to the firewall.

 

This must be the difference...

 

Edit...

Just seen your comment  "If can do it on the device should be able to have option on panorama". 

 

that would be my expectation but who knows in the world of PAN.

Mick.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!