08-04-2017 06:21 AM
Good Morning to All –
Thanks for reading!
I was hoping to get some feedback from the community on how everyone handles outbound web access for their users? I have an Active Directory Domain with about 300 users. We use groups from AD on the Palo device to allow users out to the web and or external resources.
The problem I have been facing using WMI lookup is that the users is not always identified. Sometimes the user has no authentication events on the DC after the timeout period. This has been really challenging for my users as they are then presented with a block page and then either need to logoff then back on or reboot to trigger a new security event to the DC's.
This has also proved to be even more challenging because if you do a RUN AS on a user’s machine say as your Domain Admin or other elevated users their web access now runs as that session till the idle timeout, which is less than ideal.
To overcome these issues, I thought I would setup Kerberos SSO for web access for my users since the authentication even happens when they open a browser window and or access a web resource. This has proven to be just as flakey as the WMI setup as sometimes SSO works, sometimes it does not sometimes I get the Captive Web Portal authentication window when SSO fails, sometimes I get a page that “err in connection”. It is my understanding that you are supposed to get the CP page when SSO/NTLM (which I don’t have setup) fails? Why am I not seeing the CP page all the time??
I have worked with support on outbound web access before but it seems to be over their heads at times and they don’t understand the results either.
Maybe I am missing something in my config or my environment is unique but the results I listed about don’t seem like the way the devices should work.
I just really need a way to authenticate users reliably when they want to access the web
Any suggestions? I am open to anything at this point in time as I have looked at a bunch of different products.
08-04-2017 07:11 AM
depending on what your pool of devices looks like you could opt for captive portal with NTLM authentication, this would be a transparant re-authentication (but your browsers need to support it)
additionally, is your environment 'mobile' or fairly static? eg. do your users move around a lot and change IP. if they remain fairly static to their IP mapping, you could opt to increase the timeout to match a regular working day and only probe every so often, in tandem with a long DHCP lease, to ensure people that log off early are eventually removed rom the mapping (and in the meanwhile the dhcp lease prevents accidental remap)
are your users connected to a mapped drive or anything? you could leverage 'server monitor' for any mapped drives in the agent to also produce ip-user mapping, not requiring an AD login event
in regards to the 'run as', you can add a list of ignored users to the user-id agent,m so you can ignore any events generated by an admin type user that's mnot supposed to be used for browsing and prevent overwriting a legitimate user mapping
CP pages could fail to load if an ssl page is accessed and you don't have decryption enabled, or a non-webbrowser http app is first spamming the firewall with connections (the firewall will try to serve a CP page but the app won't load a custom [age for example) and deplete the maximum retries (ok this is a bit of a corner case, i'd bet on the ssl decryption first)
08-04-2017 07:59 AM
Thanks for the info Reaper.
I thought that NTLM was not the preferred choice for authentication due to it being a legacy authentication source?
Our browsers should support NTLM (IE and Chrome)
We are pretty mobile, we have users in three buildings that move around all the time unfortunately and several conference room computers where this might not work since different users are logging on to these all-day long. I could see extending the timeout though to a time frame that is more than what I currently have it set to so that they are not being remapped so frequently.
We do use mapped drives, I can try the agent to see if that will work for us also. I have purely been using the WMI feature for now.
Ok I will test the SSL decryption piece also, I am thinking you are probably right because if I go to cnn.com which is http the SSO piece works just fine and no page is presented to me.
08-04-2017 09:25 AM
A more modern method for the single sign on instead of NTLM would be SAML (https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-saml-authen...)
May be you already use Microsoft ADFS for some services so you could easily configure rhe captive portal also to use SAML.
For the problem with the admin users I recommend, as mentionned by @reaper, to use the exclusion user list. There you can also use wildcards, so you don't have to enter every adminuser individually
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!