https://live.paloaltonetworks.com/t5/globalprotect-discussions/enable-duo-for-globalprotect/m-p/430633#M1677 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am looking into enabling DUO for GlobalProtect. I am aware that DUO and Palo Alto supports three ways to enable MFA:</P><P>&nbsp;</P><P>DUO's RADIUS proxy server</P><P>DUO Access Gateway (DAG)</P><P>SAML (e.g., Azure, Okta)</P><P>&nbsp;</P><P>I tried all 3 of them, and I am leaning more towards SAML since it's just easier and supports the DUO prompts. I have a few questions and I was hoping someone could guide me:</P><P>&nbsp;</P><P>1-Whenever I try to authenticate with either method above, I get prompted for DUO twice, one for the portal, and one for the gateway (which makes sense). Is there a way to get around this without using cookies?</P><P>&nbsp;</P><P>2-Assuming that cookies are required for question 1, is it ok to use the same certificate to encrypt/decrypt cookies, and also install the certificate along with the private key on the client? Unfortunately we don't have a way of pushing the certs to endpoints, so I have to rely on the firewall doing the installation. I am going to assume yes since it should be the same? Any security risk associated?</P><P>&nbsp;</P><P>3-If I have to use cookies + certificate, is it ok to simply use a self signed Root CA for this? Or should it be the root + intermediate + client cert, and use the client cert to install on the device, and the root cert to do the encryption/decryption?</P><P>&nbsp;</P><P>Any help on this will be greatly appreciate it.</P><P>&nbsp;</P><P>Thank you in advance!&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-08-31 at 7.33.36 PM.png" style="width: 883px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35985iD670849D655E5778/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-31 at 7.33.36 PM.png" alt="Screen Shot 2021-08-31 at 7.33.36 PM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-08-31 at 7.33.54 PM.png" style="width: 816px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35984iD73B9C10995BAE63/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-31 at 7.33.54 PM.png" alt="Screen Shot 2021-08-31 at 7.33.54 PM.png" /></span></P><P>&nbsp;</P> Tue, 31 Aug 2021 23:35:54 GMT rt_2018 2021-08-31T23:35:54Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/enable-duo-for-globalprotect/m-p/430633#M1677 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I am looking into enabling DUO for GlobalProtect. I am aware that DUO and Palo Alto supports three ways to enable MFA:</P><P>&nbsp;</P><P>DUO's RADIUS proxy server</P><P>DUO Access Gateway (DAG)</P><P>SAML (e.g., Azure, Okta)</P><P>&nbsp;</P><P>I tried all 3 of them, and I am leaning more towards SAML since it's just easier and supports the DUO prompts. I have a few questions and I was hoping someone could guide me:</P><P>&nbsp;</P><P>1-Whenever I try to authenticate with either method above, I get prompted for DUO twice, one for the portal, and one for the gateway (which makes sense). Is there a way to get around this without using cookies?</P><P>&nbsp;</P><P>2-Assuming that cookies are required for question 1, is it ok to use the same certificate to encrypt/decrypt cookies, and also install the certificate along with the private key on the client? Unfortunately we don't have a way of pushing the certs to endpoints, so I have to rely on the firewall doing the installation. I am going to assume yes since it should be the same? Any security risk associated?</P><P>&nbsp;</P><P>3-If I have to use cookies + certificate, is it ok to simply use a self signed Root CA for this? Or should it be the root + intermediate + client cert, and use the client cert to install on the device, and the root cert to do the encryption/decryption?</P><P>&nbsp;</P><P>Any help on this will be greatly appreciate it.</P><P>&nbsp;</P><P>Thank you in advance!&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-08-31 at 7.33.36 PM.png" style="width: 883px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35985iD670849D655E5778/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-31 at 7.33.36 PM.png" alt="Screen Shot 2021-08-31 at 7.33.36 PM.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-08-31 at 7.33.54 PM.png" style="width: 816px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35984iD73B9C10995BAE63/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-31 at 7.33.54 PM.png" alt="Screen Shot 2021-08-31 at 7.33.54 PM.png" /></span></P><P>&nbsp;</P> Tue, 31 Aug 2021 23:35:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/enable-duo-for-globalprotect/m-p/430633#M1677 rt_2018 2021-08-31T23:35:54Z