12-06-2017 07:39 AM
I'm new to networking in general and looking for the most secure way to ensure those joining our network actually belong on the network. We have a moderate hierarchy of users with a fairly even mix of desktops, laptops and mobile devices.
What I'm looking to achieve:
- Only specific devices are able to connect to network (whitelist specific, deny rest)
- Group devices into groups for different filtering rules
Notes:
- We have a single wifi spread throughout the site which managament and operators share
- We have outside contractors onsite which need access temporarily
- We use GlobalProtect to connect to the network remotely; I need to ensure this isn't disrupted
- We have a tunnel in place to a sister site that also needs to stay connected
From what I've read so far it seams that a certificate based authentication would be the most secure, though I've no idea where to start or if it's even possible to implement on mobile or temporary devices.
Would very much appreciate any help.
12-06-2017 01:47 PM
I believe the only way to do so with a PA is with Global Protect and you could use certificates. Otherwise, you would have to look at a genuine NAC product. Clearpass (aruba - hp) makes a pretty extensive one with a lot of capabilities, there are others out there too.
12-06-2017 02:32 PM
1) Have you configured user-id already, because if so you can restrict all security policies to known-user and as long as the IP has a user-id mapping the policies would function, but if they didn't have a mapped user-id entry then they would hit the default deny rule.
2) Does your Palo Alto handle your DHCP, or is this another network device?
3) What are you using to provide your wireless, and do you know if you can pull user-id from that device?
4) Are your users okay with being presented a captive portal, or not?
Essentially, yes the Palo Alto can do what you are asking. The setup is somewhat complex and requires a few things be put in place to do so properly, but it isn't impossible.
12-07-2017 08:34 AM
Hi Mate,
Apart from the user id, zones and security rules. Ye can go one step further with hip checks to look at the devices connecting.
Can use the hip profiles in conjunction with the user id, zones etc, to make sure the devices connecting are above board and not just the user's credentials 🙂
details of what can be checked with the hip checks are below.
hope this helps,
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
