Hi Legends,
I'm a bit stumped and trying to find a solution on parsing credentials when users authenticate via VPN/ISE and then trying to access data centre services.
Our setup is as follows
- VPN USER > AnyConnect > FTD at the internet edge
- Once user is authenticated and authorised, they can access internal network services
- For services behind our Palo Alto Data Centre Firewall, the VPN user requires to parse their authentication details to access services. Without the username, they cannot access any services. Before the Firepower internet edge firewall, this was possible by using Palo Alto internet edge firewall. We replaced this a month ago and I have setup the VPN, though users can’t access DC services.
We do not want to change this because if we get a ‘man in the middle’ attack, they can replicate the VPN IP Pool and access DC services without a username associated.
Do you guys have any idea how we can get VPN users keep their domain/username when traversing the network. Is it possible for ISE to forward these to the PANs?
Any thoughts/ideas will be greatly appreciated.
