I'm hoping I'm missing something obvious here...is there a good way to support SSL-VPN access for different types of users who require different access and use different authentication schemes?
I am trying to setup multiple SSL-VPN tunnel configurations for different types of users. Initially, I was hoping to use a single SSL-VPN configuration and simply differentiate by user. However, it doesn't appear that PAN is setup in this fashion. My goal is to support different users have different authentication schemes and require different access (Employees versus Contractors).
So, I set out to create a second SSL-VPN tunnel configuration. Unfortunately, I have hit a problem I don't know how to overcome:
* First, I had to create a separate SSL-VPN tunnel to support different authentication profiles (Radius AND LocalDB) as well as to control access differently for each group.
* Second, I had to create the new User Profiles
* Third, to create a new SSL-VPN tunnel, I have to create a new tunnel interface and associate it with my zone of choice
* Fourth (and this is the issue), I had to create a new IP address on my external interface. This is because I can't use the same IP address on the same external interface as is already used in the first SSL-VPN. (This is the selection on the "Choice" option of the "Gateway Address" configuration section in the Add/Edit SSL VPN dialog window).
However, this fourth step is not possible (at least in my environment). I can't add a secondary address to the external interface in the same network as the first address (192.168.1.1/24 and 192.168.1.2/24 for example). And, since I don't have another network of addresses to use on the external interface, I am stuck.
1. PAN-OS 4.0 supports the use of multiple authentication types on one SSL-VPN
2. addressed by using allowed user lists in an authentication profile
3. unnecessary if you are taking advantage of #1
4. also obviated by #1 and the ability to specify a set of authentication types to try on a single SSL VPN setup.
Thanks! Took a few minutes to figure out how to do it, so for anyone else interested:
Create an Authentication Sequence with the selected user profiles. The Authentication Sequence object is then selectable on the SSL-VPN configuraiton. This will attempt to authenticate the user against each profile in the selected order.
However, I am still falling short of my goal. I have now successfully permitted both user groups, using different authentication mechanisms, to access the same networks through the SSL-VPN. But, I want to control their access uniquely. Since they belong to the same SSL-VPN, get dropped into the same zone, etc, I don't see a way to limit their access.
I have not yet tried defining users in the security policy rules because one of the goups is for a large group of RADIUS users where I have not previously had to define each user manually in the system and I am hoping to avoid that. Without defining them, it does not appear possible to select a UserProfile in the user column of the security policy. And, I don't even know if it would work. Does the username used to authenticate to the SSL-VPN get passed to the security policy for access verification based on user filtering in the policy?
Thanks again for the quick answer...any tips on further controlling access to the different groups of users?
Please look at the attached file and tell me, is this the setup your describing?
If yes there is not a good reason for dropped packets originating from or destine for the broadcast domain local to your inside interface. Configuration would be the logical area to review and viewing the system logs may reveal any proxy id issues. If you are unable to resolve this problem in a timely manner on your own I would direct you to open a case with support so that can help you resolve your problem quickly and efficiently.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!