03-23-2020 01:50 PM
Hi there,
I have multiple client authentication configurations set up on my GlobalProtect portal which use the same OS type.
Order is as follows:
1 - Windows OS with local auth on the firewall.
2 - Windows OS with LDAP auth.
What i want to achieve is if authentication fails with local auth, it tries LDAP auth and keeps going down the list until it matches.
Both my local auth and LDAP auth profiles work fine, but the first one always takes precedence. It appears that if a config matches and fails, it does not try the next in the list.
I want users who perform local auth to have a different IP range assigned to users that perform LDAP auth.
How could i address this problem, or achieve the desired outcome another way?
Many thanks,
03-24-2020 06:06 AM
not sure of your exact config but perhaps try this,,,
only have 1 portal config to 1 gateway (or multiple gateways)
Then on the gateway under client settings add user groups under different configs to assign different pools.
03-24-2020 10:24 AM
I have a similar situation. I am trying to use two client authentication methods, one SAML (okta) and one regular LDAP. They both point to different Active Directory groups and the regular ldap is first in order. I have tested and when GP doesn't see the user in the regular LDAP client I receive error that user is not in allowed list and it stops and does not try the second in the list for locating the user.
03-25-2020 02:23 AM
There is no real benefit for you using multiple client authentication configurations on your GlobalProtect portal.
Create a new authentication sequence with both authentication profiles in the correct order. Then assign this auth sequence to your one and only client authentication configuration.
Under Agent tab you can differentiate between those users and forward each of the user groups to a different gateway with different IP ranges.
07-31-2020 08:47 AM
unfortunately this doesn't resolve the issue if you are using SAML authentication (apparently authentication sequence does not support SAML authentication profiles). Any other way of doing this? So far we have created a portal for each gateway to go around this, but now we are hitting an unadvertised limit of 32 portals (5220). So basically we are stuck at 32 max VPN portal/gateways. Any thoughts/ideas are appreciated.
Best,
Eilbron
07-31-2020 09:58 AM
Hi @Eilbron
What are you trying to do exactly? Different IP-Ranges for different user/device combinations?
07-31-2020 10:17 AM
Hi Vsys_remo,
We use this for external customers (Customer1/Gateway1/Portal1, Customer2/Gateway2/Portal2, and so on) where they land in their own environment (think cloud environment for customers). So far the 1:1 Portal/Gateway worked fine. But now we hit this 32 portal limit, and we are stuck. I was thinking to use one portal for multiple gateways, but under Portals > Authentication > Client Authentication, when I list multiple client authentication (for multiple customers), it only considers the first one, and does not go to the next one. The Authentication sequence option could have potentially fixed this (got excited when I saw this here), but it apparently does not work for SAML authentication. Any advice is greatly appreciated!
Best,
Eilbron
07-31-2020 12:31 PM
Hi @Eilbron
Ok, got it and unfortunately you are right about this limitation. The only thing I can think of is that you install another SAML IdP in the role of some sort of "router". So the users enter their email/upn on that IdP and are then forwarded based on the domainsuffix to their actual SAML IdP. This way you could use one portal and based on the user that logs in the portal is able to assign the right config. But unfortunately it could be possible that you then hit another limitation but I am not sure about that - maybe the limitation of 32 also applies to globalprotect gateways.
Anyway this probably you can also solve with different VRs/policy based forwarding rules.
07-26-2024 06:20 AM
Just came across this use case today and the limitations of Authentication profiles does not support SAML as Eilbron stated above. as per Palo Alto Doc below. However, you can utilize CIE to authenticate to multiple Authentication sources including LDAP and SAML.
"You cannot add an authentication profile that specifies a multi-factor authentication (MFA) server profile or a Security Assertion Markup Language (SAML) Identity Provider server profile." Ref: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/device/device-authentication....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
