Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About DavidHostetter
About DavidHostetter
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
12-04-2019
6Posts
0Likes
0Solutions
Dec 04, 2019Last Visited
User
Activity
User
Profile
Latest posts by DavidHostetter
| Subject | Views | Posted |
|---|---|---|
| 247 | 12-04-2019 12:44 PM | |
| 1807 | 12-04-2019 07:42 AM | |
| 1961 | 11-27-2019 10:38 AM | |
| 2050 | 11-26-2019 12:42 PM | |
| 2055 | 11-26-2019 12:39 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 11-26-2019 09:02 AM |
| Date Last Visited | 12-04-2019 04:29 PM |
| Total Messages Posted | 6 |
12-04-2019
12:44 PM
No, you are correct. I was not thinking clearly before. LDAP isn't quite the same as directly joining the domain with a workstation account and accessing AD directly, but it does work similarly and is more universally compatible. I guess my last remaining question is, why would I have to use both RADIUS, for implementing admin access through AD security group membership, and LDAP, for using AD group membership with user-id ? Why can't either method be used for both? Currently I am assuming that I should drop Kerberos as being redundant (or possibly blocking LDAP/RADIUS when used within an authentication sequence), implement RADIUS for admin access via AD security group and implement LDAP for user-id security group matching. Eventually when I'm done, I'll document it clearly for posterity including the Windows side of things. Where would one submit such documentation?
... View more
12-04-2019
07:42 AM
Sorry, I mistook you. I thought you meant create policies matching AD user, not SG. I understand the user-id process now. I'm still stuck on RADIUS to AD. We have RADIUS to our MFA provider working, but I am still working out certificate issues connecting to AD, I think. I do still have some conceptual areas that are unclear. Reading about authentication sequence, the documentation states that the first authentication method to succeed causes the sequence to complete with a success. No further authentication profiles are used. So if I want to use Kerberos for user ID and then RADIUS to return group membership, that doesn't seem like it works that way. If Kerberos works, the rest of the authentication sequence is not processed. RADIUS alone seems like it would work correctly to authenticate the user and match security group. So the only usefulness of Kerberos with Palo Alto then seems to be for SSO? But this implies that if you did use SSO (requiring Kerberos) you can't then create further policies matching the AD security group instead of the user account. That seems like a needless limitation, if true. Another area that I don't quite understand is that it seems like RADIUS security group matching occurs on the RADIUS server end / AD ? In other words, it seems like one makes NSP policies that match the security group and allow login or not allow and this is what is returned to Palo Alto, not the security group membership? That can't be the case but I don't see how RADIUS passes back the SG membership nor how Palo Alto identifies it and uses it. Maps SG group to Role is what I am assuming. This would be a whole lot easier and more powerful if PanOS could join the domain as a member workstation and directly integrate with AD.
... View more
11-26-2019
12:42 PM
Thank you. Those documents look very helpful, I will read them. "locally define/authz the admins and externally authenticate them." That is it, exactly. We don't want to do that. Yes, we are using 2FA for GP and that is working now, but I want now to restrict GP or at least create differing policies for GP users based on their AD groups.
... View more
11-26-2019
12:39 PM
Thank you Steve, I'm looking at this document on authentication sequence: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-an-authentication-profile-and-sequence.html If I don't need SSO, should I only use LDAP and not Kerberos? I believe that Kerberos is a better AD authentication mechanism than LDAP. If authentication sequence has both profiles for Kerberos and also LDAP and these profiles are pointing at the same directory (AD), once Kerberos was passed (valid login) would LDAP again validate the login or is the process "smart" enough to only LDAP only to retrieve details for the Kerberos-authenticated user account? Or am I not understanding this right? I'm trying to follow the above document to use Kerberos for user auth and LDAP to permit that user to have an admin role via security group membership. Thanks again!
... View more
11-26-2019
09:51 AM
Hi! My company is rolling out a small pile of Palo Alto firewall models and I'm trying to learn the nuances and best practices of these devices. Initial implementation and basic functionality has been pretty straightforward. Now we are trying more advanced things. My current issue is user authentication. I have a scenario that I feel must be very common but I can't find any KB, blog or discussions that address this directly. I am surprised that I cannot find any description nor help for this scenario. We have a Windows environment, and on test lab devices have successfully implemented, separately: Kerberos auth to AD to allow us to define AD users as firewall Admins. LDAP auth to AD for user access through Global Protect. RADIUS connectivity to our 2FA provider (used with Global Protect). Now I am wondering if these can be used in combination? Here is our scenario: Windows AD Don't need SSO No NAC or other identity management outside of AD Assume Palo Alto cannot join active directory domain We wish to use AD security groups to control: Firewall admin access Use AD Security Groups with firewall security policies incl. Global Protect Given that, which authentication and user ID method is preferred? My general understanding of Kerberos/LDAP/Radius is: Kerberos - Preferred for secure authentication protocol. Does not handle directory lookups sich as AD groups or user attributes LDAP - User authentication and directory lookup protocol. Allows lookup of AD group and user attribute. RADIUS - user authentication and directory lookup protocol. Allows lookup of AD group and user attribute. More complex configuration than LDAP. Often required for MFA. Any corrections to the above information? Would someone offer their thoughts on pros/cons of using each w/ Palo Alto in my environment of Windows AD? Are there basic best practices here? My main question though is can Kerberos be used for user auth and LDAP used for security group association of the auth'ed user? If so, how? If not, what is the downside of using only LDAP, not Kerberos in an AD only environment? Thanks for any advice offered!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-04-2019
04:29 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
