12-11-2019 08:31 AM
We would like to use multiple URL's to access our Palo with Multiple LDAP authentication.
portal.company1.com
LDAP1
portal.company2.com
LDAP2
portal.company3.com
LDAP3
We could also do like
C1.company.com
LDAP1
C2company.com
LDAP2
C3company.com
LDAP3
Can anybody guide me to a solution so far support has not been super helpfull.
Another is portal.company
with authentication sequence but that requires more work for the users.
I am a little new to Palo could use help .
12-11-2019 08:46 AM
I'm looking to do something similar. I have 2 Palo's both with a GP gateways setup and I'm thinking of using DNS roundrobin to hit either one of them using a single Portal URL company.domain.
Not sure if this is the best way to do it or not. But basically i want clients to only have to configure 1 Portal URL on the client and then hit either one of my palo's.
12-11-2019 08:51 AM
You really want to do multiple gateways then ? This is sorta the other way around.
12-11-2019 08:56 AM - edited 12-11-2019 08:57 AM
Yes since I have 2 egress points in my network, each one with a Palo. In case of fail over or an outage at one location, i want my users to hit the other Palo and still have access to the network. I was hoping to achieve this by using a DNS entry with 2 ips pointing to each one of my Gateways. which would have the same name of course.
It's mainly going to be used during maintenance windows/outages really. Either Palo can handle all my VPN connections individually but i'm trying to give the highest VPN availability i can.
12-11-2019 09:01 AM
You can do that too. When you use the gateway it allows for that as well as mulitple ip addresses and the client will do the work from there but ... The timeout might be a factor IDk
12-11-2019 09:01 AM
could you explain why you need seperate ldap auths for each company.
could you not just set an authentication order for all your ldap profiles and the user will auth to the correct one.
this will work as a good RR solution but load balancing will not be guaranteed, do you not have a "Gateway" license.
12-11-2019 09:06 AM
Even though we own each company we want them to have that feel.
Each company has its own AD.
I could possibly set an authentication order but than they have to login with like username@ADdomain.local
Also many times we have the same username at both companys.
12-11-2019 09:07 AM
thanks @Mick_Ball I'm going to test it this Friday evening. I'll let you all know if it works out or not!
Thanks
12-11-2019 09:24 AM
sorry i meant auth sequence.
so just add a new portal for each company, this will require an IP address for each one though.
then add LDAP profile to each portal. each portal will then have its own gateway on same ip address.
you can still use auth sequence on a single portal as it will try every ldap server until succesful.
also... ldap failed auth will not loch an account. you do not need to add domain info for this.
12-16-2019 03:28 AM
Hi @Mick_Ball,
Actually he (@ChrisGapske) need to have users typing domain along their username.
As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.
Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.
Use domain to determine authentication profile
Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain
or Kerberos Realm
of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.
12-16-2019 03:39 AM
yes of course but i think @ChrisGapske was hoping not to have the users adding the domain to the username.
perhaps if users exist on both domains the would have different passwords so authentication sequence would work.
if the passwords for both users were the same then why would that matter... they would still logon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
