In order to register with the LSVPN, each
satellite must establish an SSL/TLS connection with the portal.
After establishing the connection, the portal authenticates the
satellite to ensure that is authorized to join the LSVPN. After
successfully authenticating the satellite, the portal will issue
a server certificate for the satellite and push the LSVPN configuration
specifying the gateways to which the satellite can connect and the
root CA certificate required to establish an SSL connection with
the gateways.
There are two ways that the satellite can authenticate
to the portal during its initial connection:
Serial
number—You can configure the portal with the serial number of
the satellite firewalls that are authorized to join the LSVPN. During
the initial satellite connection to the portal, the satellite presents
its serial number to the portal and if the portal has the serial
number in its configuration, the satellite will be successfully
authenticated. You add the serial numbers of authorized satellites
when you configure the portal. See Configure
the Portal.
Username and password—If you would rather provision
your satellites without manually entering the serial numbers of
the satellites into the portal configuration, you can instead require
the satellite administrator to authenticate when establishing the
initial connection to the portal. Although the portal will always
look for the serial number in the initial request from the satellite,
if it cannot identify the serial number, the satellite administrator must
provide a username and password to authenticate to the portal. Because
the portal will always fall back to this form of authentication,
you must create an authentication profile in order to commit the
portal configuration. This requires that you set up an authentication
profile for the portal LSVPN configuration even if you plan to authenticate
satellites using the serial number.
The following workflow
describes how to set up the portal to authenticate satellites against
an existing authentication service. GlobalProtect LSVPN supports
external authentication using a local database, LDAP (including
Active Directory), Kerberos, TACACS+, or RADIUS.
(External authentication only) Create
a server profile on the portal.
The server profile defines how the firewall connects to
an external authentication service to validate the authentication credentials
that the satellite administrator enters.
The authentication profile defines which server profile
to use to authenticate satellites.
Select DeviceAuthentication Profile and
click Add.
Enter a Name for the profile
and then select the authentication Type.
If the Type is an external service, select
the Server Profile you created in the previous
step. If you added a local user instead, set the Type to Local
Database.