- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-19-2017 12:02 AM
Hi!
I've a scenario where the authentication methods needs to be different for some users connecting via Global Protect. Basically two options needs to be supported:
How can this be setup with PAN?
09-19-2017 12:54 AM
just looking at this makes me think you will need seperate portals for internal users and external users.
purely because device/user certificate authentication is a global auth setting for the authentication tab in portal settings.
if you include radius as an option then they will also require the same cert.
i assume you are talking about device certs and not user specific certs issued vi PKI.
not sure about MFA on the portal but you can do secondary auth via policies.
also.. not sure why you would mix 2 factor radius with username password....
09-19-2017 01:44 AM
Ok, is it possible to have multiple portals with the same IP but different FQDNs?
"also.. not sure why you would mix 2 factor radius with username password...."
- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius.
09-19-2017 02:12 AM
no because the portal is based on the ip address of the interface.
plus.. you can only have 1 certificate in your ssl/tls profile for that portal. (yes this can be a wildcard or SAN)
you may be able to do something clever with a loopback address but well beyond my knowledge as this would require connecting on a different port via GP and I'm sure this is not possible unless anyone else can advise further.
for the same reason as described earlier.... we have different portals for laptop users, ipad users, 3rd party support and "loan laptops" as they all have a different mix of device certs, user certs via AD PKI, Radius and lDAP.
09-19-2017 02:23 AM
sorry..
"also.. not sure why you would mix 2 factor radius with username password...."
- I don't really understand this statement/question. PAN don't support native SecureID, that's why radius.
yes I understand why you would use Radius but you stated an authentication process that used "username/password" and Radius.
perhaps i missunderstood the statement..
Username/password (LDAP) + 2FA (RADIUS) – External users (consultants etc.)
i'm thinking Radius will include something you are, have and know, I have allways accepted this as acceptable for VPN auth.
but then, i don't work for you...
09-19-2017 02:39 AM
RADIUS will provide a token from SecureID, othwise it's not a second factor compare to username/password.
09-19-2017 02:51 AM
yes OK, been here before, difference between MF (multi Factor) = username and password, followed by radius.
or 2F (two factor) = username with a PIN and a passcode.
how secure you make it is up to you.
for us we have similar but not via the portal.
our 3rd paty support/contractors use 2F for VPN connection, the firewall policy lets them only go to specific addresses on specific ports, and then they use username and password to connect to the allowed device, usually RDP, FTP etc...
It's up to you...
09-27-2017 01:01 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!