Prisma Access Agent
Set Up LDAP Authentication for Prisma Access Agent
Table of Contents
Set Up LDAP Authentication for Prisma Access Agent
Configure LDAP/LDAPS authentication for Prisma Access Agent to enable seamless
authentication using existing directory services and GlobalProtect portal
infrastructure.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Authentication is a critical aspect of securing remote access to your organization's
resources. Prisma Access Agent provides multiple authentication methods to verify
user identities before granting access to protected resources. While Prisma Access
Agent has traditionally relied on Cloud Identity Engine (CIE) for authentication
through SAML and client certificates, many organizations require LDAP/LDAPS
authentication support.
The LDAP authentication capability for Prisma Access Agent enables organizations to
use existing directory services infrastructure integrated with the GlobalProtect™
portal. This integration provides a smooth transition path for you to migrate
existing deployments from GlobalProtect to Prisma Access Agent without having to
reconfigure your authentication methods or adopt new authentication workflows.
When you enable LDAP authentication, Prisma Access Agent communicates with the
GlobalProtect portal for user validation instead of directly connecting to the Cloud
Identity Engine. The agent receives the GlobalProtect portal FQDN from the Prisma
Access Agent management plane, connects to the portal, and presents the user with
credential prompts. Upon successful authentication against your LDAP directory, the
portal grants Prisma Access Agent an authentication override cookie that is
validated by the management plane, which then issues the appropriate access
tokens.
- Create an LDAP server profile that defines the connection to your directory server. (Skip this step if you have an existing LDAP server profile.)When you use LDAP to connect to Active Directory (AD), you must create a separate LDAP server profile for every Active Directory (AD) domain.
- From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.Select Identity ServicesAuthentication.Select Server ProfilesLDAP.Click Add LDAP Server Profiles.Specify the following options:
- Name—Enter a name for the profile, such as ldap-server-profile.
- Type—Select active-directory.
- Base DN—Enter the base DN (Distinguished Name) for the LDAP directory.
- Bind DN—Enter the bind DN to enable the authentication service to authenticate the gateway.
- Bind Password and Confirm Bind Password—Enter the authentication credentials.
- LDAP Server—Enter the name and IP address for the LDAP server. You can configure up to four LDAP servers in a single profile.
- Require SSL/TLS Secure Connection—Enable this option if you want the endpoint to use SSL or TLS for a more secure connection with the directory server (enabled by default).
- Verify Server Certificate—Enable this option if you want the endpoint to verify the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS Secure Connection.
For example:Save your LDAP server profile.Create an authentication profile using the LDAP server profile. (Skip this step if you already have an authentication profile for LDAP.)The authentication profile specifies the server profile that the portal or gateways use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles to one or more client authentication profiles.- From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.Select Identity ServicesAuthentication.Select Authentication Profiles and Add Profile.Select Authentication MethodLDAP.Select the LDAP Server Profile that you created.Enter a Profile Name. For example:Save your authentication profile and push the configuration.Configure user authentication for the GlobalProtect portal.
- Select WorkflowsPrisma Access SetupAccess AgentGlobalProtect App.Click Add Authentication.Select Authentication MethodLDAP.To enable users to authenticate to the portal or gateway using their user credentials, select the authentication Profile that you created in the previous step.For Certificate Authentication:
- If you want to require users to authenticate to the portal using both user credentials AND a client certificate, select LDAP AND Client Certificate.
- If you want to enable users to authenticate to the portal or gateway using either user credentials OR a client certificate, select LDAP OR Client Certificate.
To use certificate authentication, you need to first create a certificate profile in ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentObjectsCertificate Management.Save your user authentication settings and push the configuration.Configure Prisma Access Agent to use the GlobalProtect portal for authentication.- Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.Click Add User Authentication.Select Authentication TypePortal Authentication.After you select Portal Authentication, the other authentication fields will no longer appear since authentication will be handled by the GlobalProtect portal.Ensure that the certificate used to encrypt and decrypt the authentication override cookie is the same across the Prisma Access Agent global app settings, GlobalProtect portal, and GlobalProtect gateway.Save your user authentication settings.Enable the Save user credentials option in the Prisma Access Agent settings to provide seamless authentication across device states like sleep-wake cycles, network changes, and system restarts without repeatedly prompting the user for credentials.
- Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.Click Add Agent Settings or select an existing agent setting that you want to modify.Configure the agent settings as needed and enable Save user credentials.Save your user authentication settings.Push the Prisma Access Agent Configuration.Configure the GlobalProtect app settings to generate the cookie for authentication override.
- Select WorkflowsPrisma Access SetupAccess AgentGlobalProtect App.Click Add App Settings or edit an existing app setting.In the Authentication Override section, enable Generate cookie for authentication override.Don’t select any options in the Match Criteria section, such as selecting a Certificate Profile, as Prisma Access Agent does not currently support GlobalProtect portal requests that involve configuration criteria.Save your settings.Configure the authentication override cookie lifetime in the global agent settings.
- Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.Edit the Global Agent Settings.In Certificate to Encrypt/Decrypt Cookie, ensure that the certificate is the same across the GlobalProtect portal and GlobalProtect gateway.Configure the Cookie Lifetime to specifies the duration for which the cookie is valid.Save your settings.Push the Prisma Access Agent Configuration.Verify the configuration.
- Test authentication from a client device running Prisma Access Agent.With this configuration, Prisma Access Agent will use the GlobalProtect portal for LDAP authentication instead of the Cloud Identity Engine (CIE). When a user attempts to connect, the agent will prompt for credentials if needed, authenticate with the LDAP server via the GlobalProtect portal, and upon successful authentication, receive a session token to secure internet and private application traffic.When the user clicks Connect on the Prisma Access Agent app, the agent will prompt them to enter their credentials:If the user already entered their LDAP credentials on macOS or the Windows login screen, the agent won’t prompt them to enter their credentials again in the Prisma Access Agent app (provided that the credentials are already saved).Run the pacli epm status command. The Authentication Type should be LDAP.Check the logs in the Log Viewer for successful authentication events.