AnsweredAssumed Answered

PAN GP w/ SecurID and Group Mapping

Question asked by Tim Silverline on Aug 1, 2019

I am trying to integrate a Palo Alto firewall with an on-prem RSA SecurID appliance for Global Protect authentication and access restrictions.

 

I have the authentication working fine for general access, but I am unable to use the user's group memberships to define security policy and allow resource access after the authentication because the user's domain is stripped when authenticating to RSA via RADIUS.

 

This is making it so the user is not associated with any of the domain groups and the group mapping function of the firewall won't work.

 

Is there a way to get RSA to work with Palo Alto in this manner?  I found this article but it appears to only be for allowing/denying authentication based upon group membership and it almost looks like you have to manually configure each user in RSA to return specific group information instead of it being pulled from the AD store.

 

Lastly, has anyone gotten PAN to integrate with RSA using something other than PAP?

Outcomes