Global Protect Authentication

Reply
L2 Linker

Global Protect Authentication

Hi!

 

I've a scenario where the authentication methods needs to be different for some users connecting via Global Protect. Basically two options needs to be supported:

 

  • Certificate + username/password (LDAP) – Internal users
  • Username/password (LDAP) + 2FA (RADIUS) – External users (consultants etc.)

 

How can this be setup with PAN?

Br.
Per Tenggren
L7 Applicator

just looking at this makes me think you will need seperate portals for internal users and external users.

 

purely because device/user certificate authentication is a global auth setting for the authentication tab in portal settings.

 

if you include radius as an option then they will also require the same cert.

 

i assume you are talking about device certs and not user specific certs issued vi PKI.

 

not sure about MFA on the portal but you can do secondary auth via policies.

 

also.. not sure why you would mix 2 factor radius with username password....

 

 

L2 Linker

Ok, is it possible to have multiple portals with the same IP but different FQDNs?

 

"also.. not sure why you would mix 2 factor radius with username password...."

- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius. 

Br.
Per Tenggren
L7 Applicator

no because the portal is based on the ip address of the interface.

 

plus.. you can only have 1 certificate in your ssl/tls profile for that portal. (yes this can be a wildcard or SAN)

 

you may be able to do something clever with a loopback address but well beyond my knowledge as this would require connecting on a different port via GP and I'm sure this is not possible unless anyone else can advise further.

 

for the same reason as described earlier.... we have different portals for laptop users, ipad users, 3rd party support and "loan laptops" as they all have a different mix of device certs, user certs via AD PKI, Radius and lDAP.

 

 

 

L7 Applicator

sorry..

 

"also.. not sure why you would mix 2 factor radius with username password...."

- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius. 

 

yes I understand why you would use Radius but you stated an authentication process that used "username/password" and  Radius.

 

perhaps i missunderstood the statement..

 

Username/password (LDAP) + 2FA (RADIUS) – External users (consultants etc.)

 

i'm thinking Radius will include something you are, have and know, I have allways accepted this as acceptable for VPN auth.

but then, i don't work for you...

L2 Linker

RADIUS will provide a token from SecureID, othwise it's not a second factor compare to username/password.

Br.
Per Tenggren
L7 Applicator

yes OK, been here before, difference between MF (multi Factor) = username and password, followed by radius.

 

or 2F (two factor) = username with a PIN and a passcode.

 

how secure you make it is up to you.

 

for us we have similar but not via the portal.

 

our 3rd paty support/contractors use 2F for VPN connection, the firewall policy lets them only go to specific addresses on specific ports, and then they use username and password to connect to the allowed device, usually RDP, FTP etc...

 

It's up to you...

L2 Linker

Anyone else?
Br.
Per Tenggren
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!