Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
0
Helpful
2
Replies

Parsing credentials from anyconnect through the network.

Go to solution
Heino Human
Level 1
Level 1

‎08-13-2020 06:59 PM

Hi Legends, 

 

I'm a bit stumped and trying to find a solution on parsing credentials when users authenticate via VPN/ISE and then trying to access data centre services. 

 

Our setup is as follows

 

  1. VPN USER > AnyConnect > FTD at the internet edge
  2. Once user is authenticated and authorised, they can access internal network services
  3. For services behind our Palo Alto Data Centre Firewall, the VPN user requires to parse their authentication details to access services. Without the username, they cannot access any services. Before the Firepower internet edge firewall, this was possible by using Palo Alto internet edge firewall. We replaced this a month ago and I have setup the VPN, though users can’t access DC services.

 

We do not want to change this because if we get a ‘man in the middle’ attack, they can replicate the VPN IP Pool and access DC services without a username associated.

 

Do you guys have any idea how we can get VPN users keep their domain/username when traversing the network. Is it possible for ISE to forward these to the PANs?

 

Any thoughts/ideas will be greatly appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-13-2020 08:07 PM

ISE can pass the username-IP mapping to PANW firewalls via syslog. You then need to allow the USER-ID syslog Listener-UDP service into PANW mgmt interface (or Panorama if you are using that) and setup a parser to extract the information for use in your PANW identity policy.

See this article for example:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-13-2020 08:07 PM

ISE can pass the username-IP mapping to PANW firewalls via syslog. You then need to allow the USER-ID syslog Listener-UDP service into PANW mgmt interface (or Panorama if you are using that) and setup a parser to extract the information for use in your PANW identity policy.

See this article for example:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC

0 Helpful

Go to solution
Heino Human
Level 1
Level 1
In response to Marvin Rhoads

‎08-18-2020 11:52 PM

Thank you Marvin, very helpful as always.

I have not been able to test it, but from what i have read, it should work perfectly.

The only thing is now, the business has decided to go down Azure AD & MFA.... :) Now my next challenge begins!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents