How to block access to internet based on User name and group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to block access to internet based on User name and group

L1 Bithead

We have a request from our teachers for a way to block access to the internet based on students' username.Oh - and the teacher needs to be able to grant or deny this access from a simple interface...

 

Myself and my colleague are scratching our heads on this one.

 

What we are thinking is of trying to leverage Active Directory Groups in our PAN and have a simple GUI that would a teacher can edit and which would post a command through to the PAN to grant or deny access for the student\ class group.

 

I am wondering if using the PAN CLI (with the User-Agent) would be able to accomplish this... Or if custom ACLs would be better.

 

Has anyone created something similar for use in education? A way for teachers to have direct access via a 3rd party interface and set permissions for a student or group?

 

Any tips and information is GREATLY appreciated!

3 REPLIES 3

L2 Linker

You can use LDAP look up from you PA to get group from AD.

Have look on the Admin guide

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LDAP-Server-Profile/ta-...

Cyber Elite
Cyber Elite

So to expand on what has already been suggested, with respect to AD groups. This is possible and I have done this in the past very successfully. The tricky part comes in where you need to have the teachers modify the groups. You could create an AD group and allow the teachers to be the owners, that way they can just do this on their own. However this is scary if this is a shared group (I wouldnt do this). Where I have done this in the past, the Support Desk (tier1) techs could do this based on tickets. That way there was a record and accountability. Regardless of what the teachers would like, I would be very worried about giving them access to modify an AD group. Perhaps the override feature could be used on false positives? But that password gets spead like wildfire. Or instead of a block page they could get a continue page and then the teacher could request alternative access? This way class is not halted and order is maintained.

 

Just some thoughts.

Thanks for the information! We are going to hold this in reserve. At least we know that it is feasably possible.

 

We are speaking to one of the regional municipalities about their in house solution. It seems they have made something like this that we may possibly "copy and paste".

 

Wouldn't that be great if it worked 😉

 

Have a good weekend.

 

  • 5938 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!