Is it possible to have 2 Authentication profiles with Any OS on Global protect portal and gateway?
13749
Created On 01/17/20 23:12 PM - Last Modified 01/24/20 17:30 PM
Question
Is it possible to have 2 Authentication profiles with Any OS on Global protect portal and gateway?
Environment
- Pan-OS
- Panorama
Answer
No, On Global protect portal and gateway Authentication tab, match only base on OS. The client authentication configurations with OS-specific configurations at the top of the list. The portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
For example:
Auth failed example :
- Two Auth profiles with SAMl and local.
Based on the configuration, Firewall will match the first Any os device and not check the second Authentication.
In order to work this scenario, Change the one of the OS to Mac or any other possible OS device. If the Authentication profile is something other than the SAML, the best way is create the Auth sequence.
Note : Firewall does not support SAML Authentication on Auth Sequence.
Additional Information
https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-portals/define-the-globalprotect-client-authentication-configurations