07-13-2021 10:24 AM
hello team
We have this small database of users for Global Protect for our staff , however, we will like to add the MFA with PingID, following the configuration steps from vendor alyways mention LDAP as an authentication server, then our question: could we use the local database from the PA and not to jump to an AD server?
did someone had have experienced with this type of deploy that can provide feedback relate?
we know that with DUO or OKTA cannot be done, their KB's state that not.
cordially
jose
07-13-2021 10:32 AM
I, too, am interested in setting up MFA that doesn't touch our inside network. I don't understand why it is such a big deal? 1Password, Google, Microsoft....can't we use ANY of those? I have no desire, or ever will, want to tie my firewall to my internal domain. Ever. We need options.
07-13-2021 10:55 PM - edited 07-13-2021 10:56 PM
The pingid docs state...
I don't see why you cannot add a local users auth profile to the MFA. Or indeed any external auth server...
perhaps they assume as you are logging into a windoze device you are already a domain member so why not use LDAP. If you are not, then use something else as the first factor.
07-14-2021 09:27 AM - edited 07-14-2021 03:29 PM
Hi
the reason to ask is because there is not a documented answer to cover local databse user usage for PingID, like DUO did it, we are assuming that we can but , we will need to create a lab a provision a VM (do the whole process to validate if is feasible or not the local database of users from the PA) to test if PingID will work with the local DB or not, anyway, if someone tried and did not work , so, can tell us first hand will be great. Anyway if the scenario is not positive we will need to find another solution without add a AD piece for such small population of users.
cordially
jose
07-15-2021 02:22 AM
I have not tried it but I can't see why it would fail, there are many MFA solutions available, probably hundreds if you include self written solutions so not all scenarios will be scripted. Good Luck with your testing...
07-15-2021 10:42 AM
thanks, we will try today the set up for PingID, the issue for MFA on PA there is an specific number of vendors that can be integrated, not all of the MFA vendors are supported by PA like google authenticator, etc, I will post here the results of PingID test anyway. cheers.
10-19-2021 12:51 PM
*ping* did you have any luck?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
