10-20-2022 07:04 PM
Hi,
I am trying to setup internal host detection for Global Protect within Prisma Access 3.2.
Global Protect authentication is using SAML with MFA.
Due to the Portal requiring login before internal host detection can take place, how do I stop the MFA prompt being presented with I am joining my device to the corporate network?
I have this working with my physical PA's by defining LDAP for authentication to the Portal (doesn't present MFA prompt), and then SAML MFA for Gateway authentication.
How would I do this with Prisma?
So far very unimpressed with Prisma Access functionality in many respects.
11-02-2022 11:50 AM - edited 11-02-2022 12:22 PM
Well this is a community and maybe if you have some idea about Prisma Access improvments, better suggest them to the vendor as this help us the other users as well 🙂
About this issue, this sounds more like Azure AD bad config, so better involve your Microsoft team as they can simply register another application with the Azure AD for the Portal and under conditional access policies you can stop the Azure MFA for this Application but not change anything for the gateways. Basically you will have 1 more server and 1 more authentication profile on the firewall and one more registered Application in Azure Ad for the SAML connection that will not want MFA.
Another option is try to use an Authentication profile to the cloud identity engine and the cloud identity engine will be the one to start the SAML but I can't say if this will trigger before or after the internal host detection as I have not tested this myself.
A final option could be to use radius server as MFA:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
Maybe also see if disabling "Use Default Browser for SAML Authentication" helps to triger SAML after the host detection as that is my final idea.
11-04-2022 06:02 AM - edited 11-04-2022 06:03 AM
Also I forgot to add that with the cloud identity engine you can use an LDAP sync to the on-prem AD as a workaround even for Cloud-Only Prima Access.
Still you may address this to the support as even with the workarounds I metioned that you can try still the host detection is better to be triggered before anything else.
If some of my suggestions help you, please Accept the reply as an answer to your question 🙂
11-22-2022 01:10 PM
One option maybe could be to have a longer portal cookie timer to reduce the MFA prompts for Portal auths.
12-16-2022 10:27 AM
It would be best to configure Conditional Access Policies on Azure to suppress MFA prompts on Prisma Access connections sourced from the Corporate public IP space. This way the behavior is controlled by the IDP team.
08-13-2024 10:56 AM
Hi, old treat thread but I am curious if you were able to come up with a solution adjusting setting on MS or portal configuration?
09-06-2024 07:05 AM
One way to tackle this:
* Use certificate-based authentication via pre-logon to auth to Prisma Access portal on machine startup.
* Internal Gateway authentication method can by None, and you pass the username in the Auth config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
