03-01-2022 11:24 PM
hi everybody, i've some questions regarding global protect client and mixed environment internal / external
we have a internal campus networking infrastructure with lan and wlan (2 different subnets), so the laptop changes the ip-address if traveling around the campus, wired or unwired...
so we have installed global protect client for internal use without tunnel mode for user-id through palo firewall for internet access...this seems to work..
but now:
users want to connect with global protect from external to campus network, external access is planed with multi-factor-auth
via radius config in global protect
now i've tried several things:
2 portal-config setups (internal and external) because we need 2 different connect methods for global protect
and 2 gateway-config setups
is this setup recommended?
or what would be best practise?
1 portal and mfa internal + external?
i've seen some strange behaviour with mixed portal config...sometimes client does not connect internal when last connection was external...
maybe someone can help me....
regards, fabian
03-04-2022 07:04 AM
Hi @Land-Salzburg ,
You need to use one GP portal agent config with both the internal and external gateways configured, and the priority of the external gateway should be "Manual only".
Your GP client is always selecting the external gateway because you configured it to do so with the 1st agent config. Multiple agent configs only work if the OS and/or users are different.
With regard to mixed authentication methods for the portal and gateway, I have done that before. What version of PAN-OS do you have? What is your disconnect message?
Thanks,
Tom
03-11-2022 01:04 PM
for those who have the same problem:
portal with 2fa and gateway with 2fa:
if using panos 10.1.2 >> pls upgrade
PAN-177119 | Fixed an issue with the GlobalProtect gateway where SMS-message-based multi-factor authentication (MFA) did not display a prompt to enter the authentication code. |
that fixed my radius-troubles on gateway authentication
03-02-2022 10:04 AM - edited 03-02-2022 10:05 AM
Hi @Land-Salzburg ,
This document describes almost exactly what you are trying to do -> https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs....
Let me highlight the main points:
You can have the portal and internal gateway authenticate with LDAP and the external gateway authenticates via RADIUS w/MFA. Assuming that the LDAP and RADIUS user/pass is the same, the authentication should be seamless with 1 MFA prompt for the external gateway.
Thanks,
Tom
03-03-2022 12:51 AM - edited 03-03-2022 09:13 AM
hi tom, thanks for your answers
i've already seen this diagramm / howto
nevertheless: i've some more questions:
one ngfw and i've made one portal:
first question: my dns-records (internal and official / external)
should these be the same fqdn?
next question: different agent config on portal configuration?
i've made a screenshot of current portal config..
with this single portal config the gp-client internal says: global protect portal does not exists...so i need 2 portals or not?
the gateways are here:
radius and ldap-server use same user-credentials, radius was only configured for mfa
maybe you can give me some advice
regards, fabian
03-03-2022 03:41 PM - edited 03-03-2022 04:00 PM
Hi @Land-Salzburg ,
I think I answered all of your questions. 🙂
Thanks,
Tom
03-03-2022 10:08 PM - edited 03-04-2022 06:33 AM
hi tom, thanks for your answers
so i set 2 agent-configs on the portal
i've also made 2 gateways internal and external
now an interesting thing:
laptop onsite of campus: global-protect-client connects to portal, enter credentials and after that enables and establish and ipsec-tunnel...
and some other problem: radius-auth on gateway without radius-auth on portal does not work, agent keeps disconnected...
it seems the gp-agent does not recognize internal use...how can i debug this? what could be possible wrong?
regards, fabian
03-04-2022 07:04 AM
Hi @Land-Salzburg ,
You need to use one GP portal agent config with both the internal and external gateways configured, and the priority of the external gateway should be "Manual only".
Your GP client is always selecting the external gateway because you configured it to do so with the 1st agent config. Multiple agent configs only work if the OS and/or users are different.
With regard to mixed authentication methods for the portal and gateway, I have done that before. What version of PAN-OS do you have? What is your disconnect message?
Thanks,
Tom
03-04-2022 07:53 AM
hi tom,
thanks for your support....I'm not inconveniencing you, I hope, seems a difficult topic to me...
well maybe my mistake: i thought it needs 2 agent configs on the single-portal,
1st config for internal always-on
and
2nd config for external on-demand
i'll change the single-portal --> agent config to 1 config with internal and external gateways set and internal host detection activated..
i wasn't aware of the the function portal-config --> agent-config --> external gateway --> source region any and priority manual setting
mfa-topic:
current pan-os: 10.1.2
current gpa: 5.2.10
behaviour: agent connects --> enter user and pwd --> enter pin-code --> nothing happens....agent keeps trying to connect, but no
logging even in the agent-debug log....
strange...
regards, fabian
03-04-2022 07:57 AM
Thanks @Land-Salzburg !
What do the logs say on the MFA side?
03-04-2022 08:22 AM
hi tom,
i can deliver the logs on monday, out of office now..
regards, fabian
03-11-2022 01:04 PM
for those who have the same problem:
portal with 2fa and gateway with 2fa:
if using panos 10.1.2 >> pls upgrade
PAN-177119 | Fixed an issue with the GlobalProtect gateway where SMS-message-based multi-factor authentication (MFA) did not display a prompt to enter the authentication code. |
that fixed my radius-troubles on gateway authentication
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
