Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 231

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

Configure a Captive Portal authentication policy that uses an authentication sequence.

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

Correct Answer: B

To use PAN-OS multi-factor authentication (MFA), the enterprise should create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. This approach enables the organization to add an additional layer of security through MFA, leveraging the PAN-OS integration directly for enhanced access control to critical infrastructure systems.

Discussion

homersimpsonOption: B

FYI in 10.0 onward, "Captive Portal" is now called "Authentication Portal".

JRKhanOption: B

B is correct. Given the authentication using AD is already in place, we can safely assume that LDAP server profile is already in use. The MFA will be used as an additional/second authentication factor. Also, the question refers to PAN-OS MFA so it is again safe to assume it will use PAN-OS directly integrated vendors instead of using one through RADIUS.

jeremykebir

Abolutely right!

TAKUM1yOption: D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication

Frightened_AcrobatOption: B

B and D are both wrong -Authentication policies reference Authentication Enforcement policies directly, not Authentication profiles. However, if one of them has to be right, it's B. D is less right since RADIUS isn't the only MFA option.

magicbr3

The Captive portal can reference the RADIUS profile and you configure MFA in the captive portal

ericli87

did anyone see this in the exam?

PochexOption: B

Answer B When we use PANOS MFA, the user will first authenticate with the authentication profile configured (Radius, SAML, Kerberos, TACACS+, LDAP), then an additional factor is configured in the same authentication profile, this factor is the MFA which is used by the Captive Portal.

UFanatOption: B

You should create an auth profile and use it in captive protal auth policy.

scallyOption: D

To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.

MarcyyOption: D

D sounds the most correct from this line in the link. To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.

homersimpson

I think it's B, because with D you are referencing Radius, which doesn't necessarily imply you're using another factor. With B, you might not have had an auth profile already (since you don't need one with user/pwd auth) so you would be creating one, and you would assign another factor in it. FWIW, this question is poorly worded.

GivemeMoney

Radius is one option, not "Thee" option, It's B.

Shenanigans123

I agree with this. Also, D says the Authentication Profile should reference a RADIUS server profile - this would make the primary auth method RADIUS, whereas the question states they want to use AD groups as the primary method, so the profile should use LDAP as the first factor, then add MFA as a second factor. D also does not mention any additional factor. B covers all requirements.

Gngogh

I just want to highlight that you don't have to use LDAP as first authentication method to be able to retrieve the user groups. In fact, in many deployments RADIUS server queries the AD server for user authentication. Then the firewall if properly configured will do the group mappings. Regardless I also believe the correct answer is B, because has already mentioned it covers all use cases.

dgonzOption: B

i think B is closer

WhizdhumOption: D

Answer is D. To use MFA for protecting sensitive information, you must configure an Authentication Portal (Captive Portal) to display a web form. To enable additional factors, you can integrate with MFA vendors through RADIUS or vendor APIs. In most cases, and external service is recommended for the first authentication factor.

EiffelsturmOption: D

B and C are the same except that B offers more options for the authentication factors in the authentication profile. "Add a RADIUS server profile. This is required if the firewall integrates with an MFA vendor through RADIUS" since D is more granular, I go for D

Gabranch

I feel like RADIUS is the work-around for those MFA solutions that don't natively integrate with PAN-OS. And the question asks about PAN-OS MFA Integration. That's why I think C over B.

gc999Option: D

Would the keyword here is "PAN-OS MFA"? I see the word from the following UR "For remote user authentication to GlobalProtect portals or gateways or for administrator authentication to the PAN-OS or Panorama web interface, you can only use MFA vendors supported through RADIUS or SAML" https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication#:~:text=you%20can%20only%20use%20MFA%20vendors%20supported%20through%20RADIUS%20or%20SAML

josephrahulOption: D

Option D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.

TechnOption: D

For end-user authentication via the Authentication policy, the firewall directly integrates with several MFA platforms (such as Duo v2, Okta Adaptive, PingID, and RSA SecurID) and integrates through RADIUS with other MFA platforms.

mohr22Option: D

D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.