This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best method to permit SAML auth and Radius for Globalprotect at the same time?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best method to permit SAML auth and Radius for Globalprotect at the same time?

mannix
L1 Bithead

‎05-07-2024 09:42 AM

Greetings all, I hope you can help me. 

I currently have Globalprotect set up on a single firewall - both portal and gateway.  We're using Radius for authentication, it is working well. 


We want to transition to SAML.  For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place. 


Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate.  I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting. 

 

mannix_0-1715099765068.png

 

I'd RATHER not re-ip everything.  I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?  

 

I don't THINK I do, if I simply specify the current gateway in the portal config. 

 

Thoughts?  Am I overcomplicating things?

 

Thanks!

 

 

Iain

0 Likes Likes
5 REPLIES 5

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-07-2024 09:59 AM

If you move SAML to the top then SAML takes precedence because your OS type is "any".

 

You can't use both SAML and RADIUS on same portal/gateway at the same time for different groups of users.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

mannix
L1 Bithead

‎05-07-2024 12:26 PM

Thanks very much!  

Can I use a different portal for initial auth, then continue with my current gateway?  

 

Iain

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-08-2024 06:04 AM

Yes you can.

Keep portal as is and set up new gateway.

Using user or group membership point some users to new gateway.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Brandon_Wertz
L6 Presenter

‎05-08-2024 06:44 AM

@mannix wrote:

Greetings all, I hope you can help me. 

I currently have Globalprotect set up on a single firewall - both portal and gateway.  We're using Radius for authentication, it is working well. 


We want to transition to SAML.  For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place. 


Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate.  I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting. 

 

mannix_0-1715099765068.png

 

I'd RATHER not re-ip everything.  I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?  

 

I don't THINK I do, if I simply specify the current gateway in the portal config. 

 

Thoughts?  Am I overcomplicating things?

 

Thanks!

 

 

Iain


We've recently switched to SAML auth for our GP, and we're told that if using SAML for auth that is the only auth mechanism that can be used.  So no matter how many mechanism you use in an auth profile if SAML is there only SAML will be used.

 

Not too sure how accurate that is, but that's what we were told from our SE.

mannix
L1 Bithead
In response to Raido_Rattameister

‎05-08-2024 07:25 AM

What about the inverse - adding a portal, and within that portal, configure my existing external gateway?

 

I'm trying to create a situation where I can have test users authenticate with saml/Azure, without impacting our existing users. 

 

My thought was to create a second portal, with a different public IP/natted to a loopback.  Check "Generate cookie for authentication override" in the authentication portion of the portal config. 

 

That way, I can configure portal2 to use SAML, other users will be none the wiser. 

 

What am I missing?  I _THINK_ this will work.  

Thanks!

 

 

Iain

0 Likes Likes
  • 512 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks