User ID integration

5. Group to User ID mapping

So the next step in the process of user ID is to configure the group mapping. Because typically, when you configure your policies, you don't create policies for users, you create policies for groups. So you first identify the user based on the user's IP mapping information. This information is correlated with the actual groups they belong to. So in order for us to set up groups, we have to add the LDAP information. So we have to log in. The LDAP is the back-end database for Active Directory and other directory services that keeps information on users, group membership, and other attributes. So in order for us to configure groupmapping, we're going to go to device create the LDAP server, click Add. We're going to call this the ad server. You can check administrative views only if you want to use this for administrator login. But this is going to be used for group mapping. We're going to add the name of the server. You can use SSL if you want.

The type is "active Directory." In the end, you have Active Directory or use Active Directory as a base. That's what we need to find out from the server. The base DN could be the actual root or local or it could be the actual user container. I'm going to use the user container in my case,but you can use the root if you want. So if you go to attribute editors, you will see this distinguished name. So that's the DN. So it's CN equals users by DN. I'm going to set the administrator login so it doesn't require SSL. Click "okay." Then we're going to click "Commit" to commit. I'm going to go back to User Identification group mapping settings. We're going to add I'm going to give it the name server profile, which is the LDAP server we created. The user domain is lab.

Okay, since this is an Active Directory, we're going to leave everything the same click okay.Then we're going to commit to finding out if it works. We're going to go to the group include list. If you see the actual user groups, then you did okay. Now that we have this in place, we want to create some users so we can test different policies. So I'm going to create a couple of groups here on Active Directory and then add those groups into my policy. I want to create a group here called "New Group" and call it Marketing Users. And then I'm going to create another group called Users. For example, I also want to create a couple of users. We can test with marketing market user one and add this user into the group marketing user. And then I'm going to go to my group mapping. I'm going to include those groups in my policy here. I'm going to add the it user included, add it to the included group, and then the marketing user edit. So these groups are now in place. I can use my policy. Bye.

6. Making decisions based on user group membership example

Now that we have group integration, we can now make policies based on group membership. Currently, the firewall is configured to allow everything. We're going to basically make some restrictions. So we're going to create a rule that will restrict SSH access based on group membership. So we're going to say SSH access access deny all. So that's going to be denied for everybody. Add trust to the untrusted service URL. We're going to create a new service called SSH TCP destination port 22 click.Okay, we're going to deny that. Add this rule up on top and then we're going to make exceptions for It users. so its users can SSH. Nobody else can SSH. It makes use of SSH exception source trust user's destination on trust service SSH action. We're going to put this above the SSH denial. So now everybody's been denied SSH access. If you are a member of the Itusers group, you are allowed to SSH. So let's commit to trying that. Let's get started. Display all user IPs and user mappings. So I'm going to log into the Windows machine as the It user. As a result, we are seeing users from 150 different countries. I'm going to go ahead and download Buddy, and I'm going to try to SSH to a system if I am allowed. Okay, so let's log off and log on as a marketing user.

And let's see the session here. So we can see that there is an active session from this IP address ID 905 by using the show session all filter destination port 22. We see here it's matching the rule It user exceptionand it's matching the source user lab It user. So now let's log in as a marketing user and see what happens. I was going to take a minute here, setup the profile, and see if we see this under "Show user IP to user mapping all." Now we see a market user one.I'm going to try to run SSH as a user and I'm not getting anywhere. So let's see that session. There's no active session for disconnection. Display all session filters user lab market. We see a lot of traffic. Destination Port 22 I don't see a session for that, so it killed that session. We can also see this here under the monitor session browser. On 22 we do two ports. We don't see a session. Let's try again. There's no session. So that user is denied. Since now, I have the user's IP mapping,I know where the user is coming from, and I have the group can make restrictions and allow certain things based on group membership.

7. Identifying Users using Captive Portal Redirect Mode

In this lecture we will talk about user identification using a captive portal. User identification using captive portal can be used for authenticating traffic from IP addresses that don't have a user ID attached. It can also be used to authenticate certain areas of the network. For example, you can implement capture portalauthentication for sensitive areas on your network, like HR servers and such. This way, you can guarantee that the actual user that's connecting is the user that should be connecting to those locations. You need to go under device user identification. This is where the captive portal is. Before we get into the captive portal configuration, we need to create an authentication profile to specify which users can authenticate to this captive portal.

We're going to call this captiveportal authentication, and we're going to authenticate against the LDAP server. You can authenticate against local databaseradius, LDAP attack x curves, or any other authentication method. We're going to choose LDAP. We're going to choose the LDAP server that we used under Advanced. You can restrict who can connect to this captive portal. That goes back to the example I was mentioning earlier. You can use the captive portal to restrict access to certain areas of the network. In our case, we're going to go ahead and use all, but you can restrict it to a certain ad group and then click okay. Then we're going to go back to the user identification captive portal and then we're going to enable the captive portal. We're going to choose to specify redirect. You can choose transparent or redirect. In our case, we're going to use redirect. The difference between transparent and transparent is that transparent.

The firewall would masquerade as the destination users trying to access the resource, which basically causes issues because it will not be able to relay that certificate that's on the destination. So if somebody's trying to access www.yahoo.com,traffic will be transparently intercepted and the firewall will actually respond as if it is www.yahoo.com, which triggers an issue with users getting certificate untrusted. Transparent mode can be used, but you should only use this mode in virtual wire or layer two mode. We're going to use rewrite in our file. We're running in layer three, so redirect will work just fine. And we're going to put the redirect hostas the IP address of the inside interface. And then we're going to specify the authentication profile, captive portal authentication that uses the authentication profile that we specified earlier, and then click okay. Now in order for the firewall to intercept traffic and send the user the captive portal, it needs to have the response pages set up in the profile, the management profile. So we need to go to the network and then create a management profile for the trust interface. You're going to specify the ping response page user ID and click OK. And then we're going to go to the interface and associate that management profile to the interface, and finally, we're going to go to policy and set up a captive portal policy.

In our case, we want to use this as an identification of last resort and we're going to choose from a source. So if anybody comes from the trust to the entrust, their source IP address is not associated with a user ID. They're going to get sent to the capture portal. We are going to redirect server Http and Https and then, under action, we're going to specify the web form. The browser challenge The firewall would challenge the device with a browser challenge and this usually works with machines that are members of the domain. If this machine is not a member of the domain, that's not going to work. And then click OK and then commit.

And now we're going to go to the machine that does not have a user identified and open a web browser, try to go to CNN.com and we prompted with the capture photo. We're going to put in the user ID, one password and now we are connected using the captive portal. Let's look at the firewall show user IP to user mapping and we see here it's one user and the IP address is coming from. To make sure that this doesn't impact my existing users that are members of the domain, I'm going to launch the Windows Eight machine, and since this user is part of the domain, they should not get the captive portal. And there you have it. The ad user was not prompted, and the reason why it was not prompted is that the IP address the user is coming from is associated with a user ID. However, that machine that's not a member of the domain was not associated with a user ID. So it got prompted with the username and password.

8. User ID mapping using CaptivePortal in Transparent Mode

In this lecture we see how to configure the Palo Alto firewall in captive portal transparent mode. In virtual wire, captive portal transparent mode can be used. Expanding on our setup, I basically added a Palo Altofirewall in virtual wire mode between the existing Palo Altofirewall and the rest of the network, and the virtual wire would be sitting in the middle of the traffic and be able to do captive portal as well. So we will see how to configure a captive portal in transparent mode. I'm going to go through and set up the network interfaces. I'm going to create the virtual wire. This is going to be the external interface. I'm going to call this. I'm going to add this to a virtual wire and create a new virtual wire. The interface will be inline outside. I need to enable the interface, go to advanced, set the link, and set up ethernet one and two. One is the inline inside, two is the inline inside, inline inside.

And here I'm going to check enable user identification, bring the interface up, and then we're going to go under device authentication profile. So I'm going to create an authentication profile, choose the local database, local database under advanced I'm going to specify all. I'm going to create a user so we can test with local users, database users, and add a test user. Then I'm going to go to the user identification tab, then enable the captive portal. We're going to use the authentication profile after auto that we just created, specify transparent, and click okay. And then under policies, I'm going to go to the capture portal and add this capture portal policy in line inside to inline outside. Action is going to be web form and then I'm going to create a policy, a security policy to allow all traffic, source in line inside, source in line outside, destination in line inside, and destination in line outside. And then action is allowed. So here, when you put the inline inside both zones, that means anything from the inline inside to outside is going to be allowed. From outside to inside is going to be allowed. Then commit. I'm going to go to the machine and I'm going to test accessing the website. So you see, one thing you have to be aware of is the captive portal. The captive portal uses port 60 81. That's the response page is port 60 81. We're going to put the user and there you have it. So transparent mode works in layer two mode and virtual wire can look at the firewall, do showy to user mapping all and we see here that it's coming in from the test user capture portal. We capture this information.

9. Captive Portal using Browser Challenge SSO example

In this lecture we will see how to set up a captive portal using Browser Challenge. The Browser Challenge is technically single sign-on and relies on carbora’s authentication, the device that's trying to access the Internet. If it doesn't have a user map attached to it, it will get sent to the captive portal and get challenged by the cumbrous authentication process. If you are a Windows domain member, part of the cumbrous domain or yield, you will be able to send a ticket into the captive portal and the captive portal will automatically authenticate you. So, for users that are members of the domain, this would be a seamless authentication process.

One key thing that has to be done on the domain controller is to set up an account for the firewall to be able to do captive portal authentication. This is difficult to find in the documentation. It's not very clearly documented on the Palo Alto website. So I'm going to show you guys how to do this. You must first create two user accounts, one for captive portal and one for captive portal. We're going to create a new user in a call, and then we're going to create another account for HTTP. Then on the domain controller, you're going to go to the command prompts and then you're going to create a key file for the firewall to be able to authenticate using Kerberos tickets and send browser challenges using Kerberos tickets. The first key file you're going to create is going to be associated with the user for Http. The second one you're going to create, you're going to associate with the user for https. The commands are as follows KT pass that creates the Kerberos ticket principal http and the fully qualified domain name of the firewall. In our case, here is Panfil local atlas local, the domain name or the real name of your domain.

In my case here, it's laptop local. In upper case, it has to be an uppercase user, a map user. This will map the user we created at pan to the domain name all in caps. Let me increase the size of the screen atlas localallcaps, the domain name ALLCAPS or the real name pass and then the password and then out, which will determine which output file to use. I'm going to go to the C drive and then call this file panfwhastekeyfile phype. This is the principal type. So you're creating a principle to be able to use as a service for authentication. KRB underscore nt underscore principle all caps RC, four Haman t so antenna that generates the Http file Then we're going to create another file for https. All I'm going to change here is the service type. It's going to be https. same information that I'm going to associate with the Https user account that I created. I use the same password. I'm going to call this file panfwhhtps. All our other information is the same and now we're going to go to the Device authentication profile and we need to create two authentication profiles. One for the captive portal HTTPS service and the other one for the captive portal HTTPS. So we're going to create a herecaptive HTTP and select Curburos. Click on the server profile. We're going to add another server profile. We're going to call this Kerberoscaptive and then click Add Server IP Address of the Server and then Port 88, then click OK.

The COVERSE realm is the domain name in all caps, and then we're going to import the key files that we created in the previous step. So I have two keys, one for PANDORA and one for PANDORAS. This is the http service. So we're going to use the HTTP service key tab file. Click "okay." And then under advanced, we're going to select all and then click okay. And then we're going to import the html. Click OK. Under advanced, we're going to choose all and then we're going to create an authentication sequence because if the browser connects using HTTP, it's going to use the captive HTTP. If it connects using Https, it's going to use the captive Https. Click "okay." So one of the issues with HTTPS is that the browser will not send ticket information if the site is not trusted. So we have to create a certificate. So in order for us to create a certificate, we have to go under "certificates." We're going to have to go under certificate. generate a CSR and this CSR has to have the same fully qualified domain name as the pan.

So you want to give it a name, penfwlablocal, and click Generate sign by external authority, then generate and then export that CSR so that you can get it from your internal PKI server. Export it. We're going to open up a notepad. Then I'm going to go to the internal PKIserver and request a certificate, choose advanced certificate request, choose webserver and then paste the CSR downloaded in a base64 encoding and then go to the firewall and click on the certificate and then choose Import. You're going to have to put in the exact certificate name. You don't have to click on a certificate. You can just click to import. It ties it in with the name of the certificate name that you give it and then chooses the certificate file. You also need to trust the root CA.

So we're going to go and download the certificate chain. You need to trust the chain of certificates. So this is the certificate of the root. I only have one level of certification copy to file base 64. We're going to choose a file name for root CA, and then we're going to import this certificate so that the firewall would have the entire shade import root cause and then root CA. So now it has its own certificate and it has the root CA. So we need to create an SSL TLS service profile that we can use with the Captive Portal. Click OK after selecting the certificate pan FW local. The other thing we have to make sure of under setup management is that the hostname pen domain lab local has to match the request that you sent to the Kerberos system.

Then, under service, you must ensure that your NTP server is accurate. Because authentication would fail if your NTP server was five minutes off. Then we're going to go to user identification again. And then under Captive Portal, we're going to enable Captive Portal, choose the SSLprofile we created, and then choose the authentication profile sequence that we created. Captive Sequence and then the redirect host, you need to put the fully qualified domain of the firewall and click OK, then click OK. Also, you have to have a DNS entry in your DNSserver to resolve that name to the firewall IP address. So now that this is done, we need to go under policies, Captive Portal, and then add a policy call. This Captive Portal sequence source is trust, the destination is untrust. And then the service is going to be HTTP and HTTPS. And then the action we're going to specify is the browser challenge, click OK. And then we're going to go and commit. Let's look at the user's IP mapping right now on the firewall. Display all user IP to user mappings. There's a new user map.

So now I'm going to log out of this machine's administrative users and sign in as a different user. I'm going to try it with Internet Explorer. First, open up Internet Explorer and in the background, it is actually negotiating the cur burst ticket. And we should see that an entry is in the user mapping database now. And this entry shows SSO. Clear that entry and try to authenticate using Chrome. Clear user cache all clear user cache MP all show user Trouser mapping, and everything is still connected via SSO. Oh, I'm still on the website. Let me do this again. Okay, let's try from chrome.

I believe Chrome should work, I believe. I’m not sure if Firefox would work and Chrome worked. It's probably cached. Let me go to www.cnn.com/ Let's give Chrome a shot as well. So let's go to the website. Firefox does not work. Chrome works, but Firefox doesn't work. So, Captive Portal, we're using browser challenge validation for users coming in from a machine that's part of the domain because otherwise we won't be able to see the curves correctly and it's not compatible with our browsers. It has certain scenarios that can be useful, like if you want to make sure that the users can log in only on machines that are part of the domain and maybe other scenarios.

Study with ExamSnap to prepare for Palo Alto Networks PCNSE Practice Test Questions and Answers, Study Guide, and a comprehensive Video Training Course. Powered by the popular VCE format, Palo Alto Networks PCNSE Certification Exam Dumps compiled by the industry experts to make sure that you get verified answers. Our Product team ensures that our exams provide Palo Alto Networks PCNSE Practice Test Questions & Exam Dumps that are up-to-date.