Globalprotect-Need use Local database users and PingID for auth(MFA)

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Globalprotect-Need use Local database users and PingID for auth(MFA)

L1 Bithead

hello team

We have this small database of users for Global Protect for our staff , however, we will like to add the MFA with PingID, following the configuration steps from vendor alyways mention LDAP as an authentication server, then our question: could we use the local database from the PA and not to jump to an AD server?

did someone had have experienced with this type of deploy that can provide feedback relate?

we know that with DUO or OKTA cannot be done, their KB's state that not.

cordially

jose

Security Eng Consultant
5 REPLIES 5

I, too, am interested in setting up MFA that doesn't touch our inside network. I don't understand why it is such a big deal? 1Password, Google, Microsoft....can't we use ANY of those? I have no desire, or ever will, want to tie my firewall to my internal domain. Ever. We need options.

L7 Applicator

The pingid docs state...

  1. PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.

I don't see why you cannot add a local users auth profile to the MFA. Or indeed any external auth server...  

perhaps they assume as you are logging into a windoze device you are already a domain member so why not use LDAP.  If you are not, then use something else as the first factor.

Hi 

the reason to ask is because there is not a documented answer to cover local databse user usage for PingID, like DUO did it, we are assuming that we can but , we will need to create a lab a provision a VM (do the whole process to validate if is feasible or not the local database of users from the PA) to test if PingID will work with the local DB or not, anyway, if someone tried and did not work , so, can tell us first hand will be great. Anyway if the scenario is not positive we will need to find another solution without add a AD piece for such small population of users.

cordially

jose

Security Eng Consultant

L7 Applicator

I have not tried it but I can't see why it would fail, there are many MFA solutions available, probably hundreds if you include self written solutions so not all scenarios will be scripted. Good Luck with your testing...

thanks, we will try today the set up for PingID, the issue for MFA on PA there is an specific number of vendors that can be integrated, not all of the MFA vendors are supported by PA like google authenticator, etc, I will post here the results of PingID test anyway.  cheers.

Security Eng Consultant
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!