08-06-2017 04:28 AM
Hi
I want to control access to resources "for users connecting through global protect" by username level.
How to do this?
And which is better assign the tunnel interface to a new zone or to the trust-zone?
Thanks
08-07-2017 02:51 AM
It will be checked in sequence. And the profiles will be checked in order you configured it until the user is found.
So in your case, local wil also checked if LDAP is available but the user wasn't in your AD
08-07-2017 02:59 AM
I can see that vsys_remo has answered if full but alreay typed my answer so will post.
Yes you can use Authentication Sequence for multiple auths at the same time.
It was introduced to get around the issue of different auth options for the same portal/gateway.
unfortunately it doesn't include certificate auth (happy to be corrected)
if your sequence is as follows
1. LDAP
2. Local
it will try 1.LDAP first. if 1.LDAP returns unreachable, unknown user, bad username or password or anything else that is not accepted it will then try 2.Local.
you will need to create "Authentication Profiles" for all of your authentication options and then add them in your preferred order to "Authentication Sequence".
08-06-2017 04:55 AM - edited 08-06-2017 04:57 AM
I think the best way to have a new zone for teh GP tunnel interface and for the user access control you need user-id enabled with AD integration.
Agentless (buildin):
Agent software installation:
08-06-2017 09:02 AM
Hi @myasin
There is no 'right' configuration in your situation. It depends on some more details:
In most cases it is the best way to use a separate zone for the tunnel interface...
User-ID also works with local firewallusers. You can simply enter the usernames into the security policy to restrict access to specific users and/or groups. But if you use AD users there are some more steps needed to get there (-->links posted by @TranceforLife).
Regards,
Remo
08-07-2017 12:54 AM
Hi
-------------------------------------------------------
----------------------------------------------------------
So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?
But what will be the case for the AD users scenario?
And can I use both local and AD users simultanously for the VPN authentication?
Thanks
08-07-2017 01:01 AM
Hi
-------------------------------------------------------
----------------------------------------------------------
So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?
But what will be the case for the AD users scenario?
And can I use both local and AD users simultanously for the VPN authentication?
Thanks
08-07-2017 01:36 AM
can i just ask,,, What form of authentication are they using,,,
08-07-2017 01:41 AM
Its still under setup.
Will use local and AD auth for global protect connecting users.
08-07-2017 02:03 AM
So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?
-----Correct
But what will be the case for the AD users scenario?
-----/Device/user Identification/Group Mapping Settings.
you will need an LDAP profile to connect to AD. In the settings you can select particular groups and then add these (or individual users in the groups) to the policies.
And can I use both local and AD users simultanously for the VPN authentication?
------ I prefer individual Portals/Gateways for different auths but if this is not practicle then you can use.......
/Device/Authentication Sequence.
it will try all auth requests from top to bottom until it finds a match.
08-07-2017 02:26 AM
For the authentication sequence, can we authenticate over both local and LDAP simultanously, or will be checked in sequence "like Local Checked only if LDAP wasnt reachable"?
08-07-2017 02:51 AM
It will be checked in sequence. And the profiles will be checked in order you configured it until the user is found.
So in your case, local wil also checked if LDAP is available but the user wasn't in your AD
08-07-2017 02:59 AM
I can see that vsys_remo has answered if full but alreay typed my answer so will post.
Yes you can use Authentication Sequence for multiple auths at the same time.
It was introduced to get around the issue of different auth options for the same portal/gateway.
unfortunately it doesn't include certificate auth (happy to be corrected)
if your sequence is as follows
1. LDAP
2. Local
it will try 1.LDAP first. if 1.LDAP returns unreachable, unknown user, bad username or password or anything else that is not accepted it will then try 2.Local.
you will need to create "Authentication Profiles" for all of your authentication options and then add them in your preferred order to "Authentication Sequence".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
