01-15-2019 11:32 PM
Hi team
How can I implement in the Global Protect confuguration the use of client certificate and LDAP authentication as two factor authentication only for some user (or a user group) ? We had only rolled out private certificates from our PKI for some user that has access to sensitive services and these user should use their certificate as additional authentication for the global protect portal/gateway. All other user should able to connect without client certificate. How can I implent these scenario?
I only found this in the Global Protect portal/gateway configuration valid for all clients that connect.
Regards
Andrea
01-16-2019 03:10 AM
Certificate authentication is global to all users. you can have either just certificate auth, just ldap auth or both cert and ldap but
you cannot have both cert only and cert plus ldap on the same portal/gateway.
you could just use certificate authentication on the portal and then depending on the user group you could issue a different gateway, one with cert auth and one with ldap auth.
you will need additional license for multiple gateways.
01-16-2019 03:30 AM
Sure ! I have security policies that only allow the access to those people. But thats not the problem. The problem is that only a Username/password for authentication is not save enough for external access to the services. And I don't want to roll out hundred of private certificates for people that do not need this for access to non-sensitive services. For this scenario it would be helpful to have the additional certificate authorization only for restricted user.
Regards
Andrea
01-16-2019 03:51 AM
sure I understand.
what you are trying to configure is not possible on the same portal or gateway.
Do you have a gateway license?
Or, could you have a different portals for the different users?
01-16-2019 07:01 AM
Actually we don't have gateway license.
And yes, I also thought about a different portal for this users but for this I need to add a second IP-address to the interface, is it right ?
Regards Andrea
01-16-2019 07:08 AM - edited 01-16-2019 07:09 AM
yes it would be best to add second IP address but you may be able to configure a new portal and gateway on a loopback address. (so 2 portals on same interface but on different ports)
I have used it, it works well but i have never used it alongside an existing portal/gateway but should work.
here is a link but just search web for globalprotect loopback.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0
01-16-2019 09:50 AM
I would distribute certificates to all users. if using PKI then you can use Group Policy to install a certificate on domain logon.
01-17-2019 01:39 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
