Set Up LDAP Authentication for Prisma Access Agent
Focus
Focus
Prisma Access Agent

Set Up LDAP Authentication for Prisma Access Agent

Table of Contents

Set Up LDAP Authentication for Prisma Access Agent

Configure LDAP/LDAPS authentication for Prisma Access Agent to enable seamless authentication using existing directory services and GlobalProtect portal infrastructure.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Check the prerequisites for the deployment you're using
  • Minimum required Prisma Access Agent version: 25.3.0.43
  • macOS 14 and later or Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Authentication is a critical aspect of securing remote access to your organization's resources. Prisma Access Agent provides multiple authentication methods to verify user identities before granting access to protected resources. While Prisma Access Agent has traditionally relied on Cloud Identity Engine (CIE) for authentication through SAML and client certificates, many organizations require LDAP/LDAPS authentication support.
The LDAP authentication capability for Prisma Access Agent enables organizations to use existing directory services infrastructure integrated with the GlobalProtect™ portal. This integration provides a smooth transition path for you to migrate existing deployments from GlobalProtect to Prisma Access Agent without having to reconfigure your authentication methods or adopt new authentication workflows.
When you enable LDAP authentication, Prisma Access Agent communicates with the GlobalProtect portal for user validation instead of directly connecting to the Cloud Identity Engine. The agent receives the GlobalProtect portal FQDN from the Prisma Access Agent management plane, connects to the portal, and presents the user with credential prompts. Upon successful authentication against your LDAP directory, the portal grants Prisma Access Agent an authentication override cookie that is validated by the management plane, which then issues the appropriate access tokens.
Before you begin, ensure that you're using a Prisma Access tenant with GlobalProtect configured. If you already configured GlobalProtect to use LDAP authentication, you can skip steps 1 - 3.
  1. Create an LDAP server profile that defines the connection to your directory server. (Skip this step if you have an existing LDAP server profile.)
    When you use LDAP to connect to Active Directory (AD), you must create a separate LDAP server profile for every Active Directory (AD) domain.
    1. From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.
    2. Select Identity ServicesAuthentication.
    3. Select Server ProfilesLDAP.
    4. Click Add LDAP Server Profiles.
    5. Specify the following options:
      • Name—Enter a name for the profile, such as ldap-server-profile.
      • Type—Select active-directory.
      • Base DN—Enter the base DN (Distinguished Name) for the LDAP directory.
      • Bind DN—Enter the bind DN to enable the authentication service to authenticate the gateway.
      • Bind Password and Confirm Bind Password—Enter the authentication credentials.
      • LDAP Server—Enter the name and IP address for the LDAP server. You can configure up to four LDAP servers in a single profile.
      • Require SSL/TLS Secure Connection—Enable this option if you want the endpoint to use SSL or TLS for a more secure connection with the directory server (enabled by default).
      • Verify Server Certificate—Enable this option if you want the endpoint to verify the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS Secure Connection.
      For example:
    6. Save your LDAP server profile.
  2. Create an authentication profile using the LDAP server profile. (Skip this step if you already have an authentication profile for LDAP.)
    The authentication profile specifies the server profile that the portal or gateways use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles to one or more client authentication profiles.
    1. From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.
    2. Select Identity ServicesAuthentication.
    3. Select Authentication Profiles and Add Profile.
    4. Select Authentication MethodLDAP.
    5. Select the LDAP Server Profile that you created.
    6. Enter a Profile Name. For example:
    7. Save your authentication profile and push the configuration.
  3. Configure user authentication for the GlobalProtect portal.
    1. Select WorkflowsPrisma Access SetupAccess AgentGlobalProtect App.
    2. Click Add Authentication.
    3. Select Authentication MethodLDAP.
    4. To enable users to authenticate to the portal or gateway using their user credentials, select the authentication Profile that you created in the previous step.
    5. For Certificate Authentication:
      • If you want to require users to authenticate to the portal using both user credentials AND a client certificate, select LDAP AND Client Certificate.
      • If you want to enable users to authenticate to the portal or gateway using either user credentials OR a client certificate, select LDAP OR Client Certificate.
      To use certificate authentication, you need to first create a certificate profile in ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentObjectsCertificate Management.
    6. Save your user authentication settings and push the configuration.
  4. Configure Prisma Access Agent to use the GlobalProtect portal for authentication.
    1. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    2. Click Add User Authentication.
    3. Select Authentication TypePortal Authentication.
      After you select Portal Authentication, the other authentication fields will no longer appear since authentication will be handled by the GlobalProtect portal.
      Ensure that the certificate used to encrypt and decrypt the authentication override cookie is the same across the Prisma Access Agent global app settings, GlobalProtect portal, and GlobalProtect gateway.
    4. Save your user authentication settings.
  5. Enable the Save user credentials option in the Prisma Access Agent settings to provide seamless authentication across device states like sleep-wake cycles, network changes, and system restarts without repeatedly prompting the user for credentials.
    1. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    2. Click Add Agent Settings or select an existing agent setting that you want to modify.
    3. Configure the agent settings as needed and enable Save user credentials.
    4. Save your user authentication settings.
  6. Configure the GlobalProtect app settings to generate the cookie for authentication override.
    1. Select WorkflowsPrisma Access SetupAccess AgentGlobalProtect App.
    2. Click Add App Settings or edit an existing app setting.
    3. In the Authentication Override section, enable Generate cookie for authentication override.
      Don’t select any options in the Match Criteria section, such as selecting a Certificate Profile, as Prisma Access Agent does not currently support GlobalProtect portal requests that involve configuration criteria.
    4. Save your settings.
  7. Configure the authentication override cookie lifetime in the global agent settings.
    1. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    2. Edit the Global Agent Settings.
    3. In Certificate to Encrypt/Decrypt Cookie, ensure that the certificate is the same across the GlobalProtect portal and GlobalProtect gateway.
    4. Configure the Cookie Lifetime to specifies the duration for which the cookie is valid.
    5. Save your settings.
  8. Verify the configuration.
    1. Test authentication from a client device running Prisma Access Agent.
      With this configuration, Prisma Access Agent will use the GlobalProtect portal for LDAP authentication instead of the Cloud Identity Engine (CIE). When a user attempts to connect, the agent will prompt for credentials if needed, authenticate with the LDAP server via the GlobalProtect portal, and upon successful authentication, receive a session token to secure internet and private application traffic.
      When the user clicks Connect on the Prisma Access Agent app, the agent will prompt them to enter their credentials:
      If the user already entered their LDAP credentials on macOS or the Windows login screen, the agent won’t prompt them to enter their credentials again in the Prisma Access Agent app (provided that the credentials are already saved).
    2. Run the pacli epm status command. The Authentication Type should be LDAP.
    3. Check the logs in the Log Viewer for successful authentication events.