12-10-2019 08:40 AM
I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using Mitch Densley's video guide for PAN-OS 8.x as a starting point, I've gotten my Duo application set up, along with an authentication profile.
However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in. Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.
12-12-2019 05:04 AM
Did you create an object in vsys1 instead of 'shared' ?
12-12-2019 01:43 PM
For the Authentication Enforcement Object (Objects > Authentication), I found creating a shared object (one used across all device groups) made the authentication profiles invisible. When I created the AEO in the device group covered by that particular template stack, the profiles were available to select. This occurred because I was using Panorama for device management. I'd have to walk back through the exercise on a stand-alone device to see if there's a similar distinction between the device level shared context and a specific vsys. (I only have single instances on my firewalls, so nothing really needs to be "shared.") It's not exactly as @reaper suggested, but their suggestion took me to the right place.
I'm skipping the authentication policy step since further reading suggests it may not be needed for GlobalProtect. May have to revisit it after some testing.
So short answer is: Just turn off the "Shared" checkbox when setting authentication enforcement.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!