We have new requirements to require MFA for administrative access to just about everything and have to put into place in very short order.
“In addition to remote access, multi-factor authentication is required for the following, including such access provided to 3rd party service providers:
1 All internal & remote admin access to directory services (active directory, LDAP, etc.).
2 All internal & remote admin access to network backup environments.
3 All internal & remote admin access to network infrastructure (firewalls, routers, switches, etc.).
4 All internal & remote admin access to the organization’s endpoints/servers."
What I'm trying to do is described pretty well in the document linked below: try to access something, get prompted. Trying to do this with Azure AD. From what I understand, browser based applications can be done with captive portal and non browser based can be done with GlobalProtect app. Is that right? Trying to leverage our existing Azure MFA.
Looking at this info:
Thank you for your reply, Steve! Stood up a GlobalProtect gateway. Got MFA auth for establishing GP connection, but still trying to get challenged for authentication based on authentication policy. Initially thought http and https was captive/authentication portal, but after read reading documents and in particular the passage you mentioned it referred to the authentication portal, which I'm now trying to stand up.
Should captive/authentication portal go on internal interface? I was planning on putting Internal GP gateway and thought that was going to go on internal interface, but maybe I need loopbacks or something so there is no conflict. Looking for best practices.
When I get Captive/Authentication Portal configured, i'll use whatever IP or dns address configure there and pair it up with the instructions here: Tutorial: Azure Active Directory integration with Palo Alto Networks Captive Portal | Microsoft Docs
Hopefully I'm on the right track. Thoughts?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!