This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to restrict access only to certified devices for users in an AD user group but not a different group

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to restrict access only to certified devices for users in an AD user group but not a different group

skuo2020
L1 Bithead

‎04-28-2021 09:22 AM

LDAP authentication is required for all the users. On top of that, we also want to restrict access to only certified devices for employees (must use company machines) but not contractors (can use private machines). Device certifications are pushed out through GPO to company devices. Employees and contractors belong to different AD user groups. How can it be done?

 

0 Likes Likes
5 REPLIES 5

Sec101
L4 Transporter

‎04-28-2021 02:45 PM

HIP checks is what you need

0 Likes Likes
(1)

skuo2020
L1 Bithead

‎05-04-2021 07:25 AM

If I understand correctly, to use HIP we would have to plant a registry entry to identify those interested machines and then use security policy to control what they are allowed or not allowed to access. GP only collects HIP data but not doing any access controls which is not an ideal solution I am looking for. 

 

Portal allows multiple Client Authentication and multiple Agent. Somewhere in there I believe can do what I am looking for somehow. 

0 Likes Likes
(1)

laurence64
L4 Transporter
In response to skuo2020

‎05-05-2021 02:17 AM

Following on from @Sec101 it is true that GP only collects the HIP data, but that data can then be used in a security policy to allow or deny the traffic based on the information contained within, so for instance in this case I would check for the certificate and put a security policy that allows the traffic for that group including the HIP check in the policy, if the device fails the HIP check the firewall will fall through to a rule underneath that could pick up the remaining users and provide that connectivity.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes

Sec101
L4 Transporter

‎05-14-2021 11:48 AM

@laurence64 

 

HIPS have predefined- and some custom checks you can look for on an endpoint.   The firewall will enforce on those HIP checks if you have them in security policy

0 Likes Likes

laurence64
L4 Transporter
In response to Sec101

‎05-18-2021 09:04 AM

Isn't that what I said ?

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes
  • 3356 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks