04-16-2014 08:23 AM
GP v2.0.1. Successful authentication is based on a particular AD user group. If the user is not part of the group, he/she would be able to connect. We want to implement this solution for smart devices.. however, how can we control who connects and who doesn't? we don't want a user with a personal device to be able to connect to the portal/gateway. Is there a way to lock this down further? without client certificates. we want to have control on who can connect on their personal device. Some exceptions, but not all users.
04-17-2014 01:09 PM
No, just the common part of the hostname. See my example screenshot above. So every device starts with the common part of the hostname iPhone-7CC53795BECF- the rest of the hostname can be unique.
Example: iPhone-7CC53795BECF-Device001
With HIP your checking hostname with qualifier "Contains" iPhone-7CC53795BECF
04-17-2014 05:38 AM
You could use HIP for that purpose. Only if the device is "compliant" it is able to connect.For example Insert a hidden registry entry for the devices you want to connect, then check that registry entry with HIP.
04-17-2014 10:47 AM
I could do that..however, how could I do that for IOS and Android devices wanting to connect?
04-17-2014 12:27 PM
Quick and dirty for mobile devices you could configure a hostname and let HIP check for that. With PAN MSM you have more options available for that purpose. With MSM you can check whether a device is managed, if yes allow access.
MSM requires additional Hardware and licensing but you get a complete Mobile Device Management Solution.
04-17-2014 12:51 PM
additional HW? currently running 3000 series FW
04-17-2014 12:57 PM
MSM is an additional Appliance GP-100 Overview - Palo Alto Networks
Configuring and checking hostnames on your mobile devices does not require MSM.
04-17-2014 12:59 PM
so I will need to know and then add all hostnames from the smart devices?
04-17-2014 01:09 PM
No, just the common part of the hostname. See my example screenshot above. So every device starts with the common part of the hostname iPhone-7CC53795BECF- the rest of the hostname can be unique.
Example: iPhone-7CC53795BECF-Device001
With HIP your checking hostname with qualifier "Contains" iPhone-7CC53795BECF
04-17-2014 01:12 PM
ok, thanks.. makes sense
04-17-2014 01:15 PM
this wont affect the laptops/desktops that connect?
04-17-2014 01:19 PM
It does not as long as you define the OS in the HIP Object, see screenshot above.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
