This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to use multiple authentication profiles for Global Protect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to use multiple authentication profiles for Global Protect VPN

Go to solution
kkrause
L2 Linker

‎02-26-2015 12:43 PM

I have a need for our employees to use LDAP in the authentication profile for VPN connectivity, but I also have outside third parties that need remote VPN connectivity as well. I want them to use local database user accounts. How can I do this? It seems that a given portal can only use 1 authentication profile type.

I only have 1 external interface with 1 IP address assigned. Is the solution to use loopback interface?

Thanks,

Ken

1 person had this problem.
1 accepted solution

Accepted Solutions

Go to solution
hshah
L6 Presenter

‎02-26-2015 03:30 PM

Hi Kkrause,

You can refer following document. Its for four LDAP profiles. Instead you can have one Local Database and one LDAP.

Using More than Four LDAP Servers in a Palo Alto Networks Configuration

Let me know if that helps.

Regards,

Hardik Shah

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
kattaullah
L3 Networker

‎02-26-2015 02:04 PM

Hello Kkrause


Authentication profiles can be combined in an authentication sequence. If a user is not found on one of the LDAP servers in the first authentication profile it will attempt the next one, which should result in a successful authentication attempt as a whole on the firewall. This is configured under Device > Authentication Sequence:



Auth seq2.png


This sequence can now be used for any purpose, such as Global Protect authentication:


Auth seq3.png


Hope that answers your question.


Regards

Khan


Note: Please mark any correct or helpful reply.

Go to solution
hshah
L6 Presenter

‎02-26-2015 03:30 PM

Hi Kkrause,

You can refer following document. Its for four LDAP profiles. Instead you can have one Local Database and one LDAP.

Using More than Four LDAP Servers in a Palo Alto Networks Configuration

Let me know if that helps.

Regards,

Hardik Shah

0 Likes Likes

Go to solution
kkrause
L2 Linker
In response to kattaullah

‎02-27-2015 06:07 AM

Thanks for the response. I implemented the Authentication Sequence and I can see in my logs that the VPN authentication attempt is occurring on both the local profile and the LDAP profile. However I have a username/password issue for this particular user account that I need to resolve. I'm absolutely 100% sure that the username and password I'm testing with is correct and the account is enabled....so I'll check again Smiley Happy

0 Likes Likes

Go to solution
kkrause
L2 Linker
In response to kattaullah

‎02-27-2015 06:08 AM

Thanks for the response and additional documentation. It seems that the Authentication Sequence will take care of my needs.

0 Likes Likes

Go to solution
hshah
L6 Presenter
In response to kkrause

‎02-27-2015 07:58 AM

Hi KKrause,

Its top-down approach, first it check first method of authentication, if it doesnt authenticate than it go to next one. Let me know if this helps.

Regards,

Hardik Shah

0 Likes Likes

Go to solution
kkrause
L2 Linker
In response to hshah

‎02-27-2015 01:35 PM

I found my password problem. I had changed the Portal to use Auth Sequence but not the gateway. Once I put that in place I can now VPN with my AD users and with my local database users. Oh, the joy of learning a new platform!

Thanks to all for the help.

0 Likes Likes
  • 1 accepted solution
  • 15095 Views
  • 6 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks