article GlobalProtect: Authentication Policy with MFA in GlobalProtect Articles

GlobalProtect: Authentication Policy with MFA

SpencerMitchell — Tue, 12 Jul 2022 06:30:34 GMT

Learn more about to configure Authentication Policy with MFA to provide elevated access for both HTTP and non-HTTP traffic to specific sensitive resources.

Re: GlobalProtect: Authentication Policy with MFA

DLONGPRÉ — Tue, 25 Aug 2020 18:19:04 GMT

Is it working with SAML + Azure MFA ?

Re: GlobalProtect: Authentication Policy with MFA

CEkanayake2 — Thu, 19 Nov 2020 12:23:05 GMT

@DLONGPRÉ It works great with Azure AD SAML authentication and MFA is prompted in Azure login. No need for any additional configuration specific to MFA.

Re: GlobalProtect: Authentication Policy with MFA

mlinsemier — Tue, 23 Mar 2021 20:02:15 GMT

I currently have pre-login working with SSO + SAML with Azure MFA... the issue that I see is that when a user stays logged in for a time greater than their time required to reauthenticate via MFA, the machine is stuck in a limbo state during this time. Has anyone else experienced this and does anyone know of a workaround?

Re: GlobalProtect: Authentication Policy with MFA

Someonesomeone — Fri, 18 Jun 2021 19:44:41 GMT

@DLONGPRÉ @CEkanayake2 Are you currently using Azure MFA, Authentication Policy and GlobalProtect? If so, can you help me out? Trying to use this to restrict administrative access to resources to comply with new requirements and I'm having a difficult time.

Re: GlobalProtect: Authentication Policy with MFA

Brooks_Hassinger — Tue, 12 Jul 2022 21:12:36 GMT

Is there a way to make this work where the user only receives an MFA push notification directly to their phone when they hit a Security Authentication policy? I want to use this with user-certificate authentication. My ideal workflow would be as follows:
1. With prelogon configured, the user authenticates with their user certificate (not machine), and by the time they're done signing into their laptop, they are authenticated to Globalprotect. This allows us to have usernames in the traffic logs, and formulate security policies (eg for Internet) with Security Profile Groups attached to them for L7 protection. As a fallback, SAML auth profile is configured, and if a user has an issue with their certificate they receive a SAML login prompt.

Step 1 works absolutely perfectly. Anyone that just needs to use the internet never has to think about the VPN, they're always connected and protected by the Security Group profile that is configured.

2. When the user tries to access an internal resource in the network, (hitting a security authentication policy), they receive an MFA push to their company-issued phone. After they acknowledge the challenge, they are free to access internal resources for x amount of hours.

is this a technically possible solution?

Re: GlobalProtect: Authentication Policy with MFA

SpencerMitchell — Thu, 14 Jul 2022 23:51:17 GMT

@Brooks_Hassinger it should be possible. The MFA push is performed separately based on the auth profile applied to the auth policy, which is separate from the GP authentication process.