https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mfa-with-kerberos-and-rsa/m-p/470647#M2545 <P>Hello everyone, Palo Alto noobie here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I am trying to configure GlobalProtect VPN with MFA authentication using Kerberos authentication protocol against AD and RSA hard tokens.<BR />I have configured the GlobalProtect portal and gateway using different loopbacks. For the portal authentication I am using only Kerberos while for the gateway authentication I intent to use MFA (Kerberos + RSA)</P><P>In order to configure MFA for the VPN gateway I did the following:</P><P>1. Created MFA server Profile with MFA Vendor: RSA SecurID Access</P><P>2. Linked the MFA server profile to the Authentication profile: Authentication: Kerberos Server profile, Factors: MFA server profile</P><P>3. Enabled Captive Profile with the authentication profile described above, and redirect host uses the same loopback as&nbsp;GlobalProtect portal.</P><P>4. Created interface management with response pages and user-ID</P><P>5. Linked&nbsp;interface management profile with the loopback used for&nbsp;GlobalProtect portal and captive portal</P><P>6. In the zone where&nbsp;GlobalProtect portal and captive portal are assigned, User_ID is enabled</P><P>7. Created new Autentication object: Authentcation Method:web-form Authentication Profile: one created in bullet 2</P><P>8. Created Authentication Policy: defining just source and destination zone, leaving service to any and assigning authentication enforcement to the one created in bullet 8.</P><P>9. Under GlobalProtect portal Configuration for the authentication using kerberos profile</P><P>10. Under GlobalProtect Portal Configuration under agent config:</P><P>- authentication: components that require 2FA: internal gw and external gw are checked</P><P>-app: Use SSO (win): NO,</P><P>-app: Enable inbound authentication prompts from MFA gw: YES</P><P>-app: Trusted MFA GW: IP of the RSA server</P><P>&nbsp;</P><P>After installing the GlobalProtect client from the&nbsp;Configuration Portal the situation is following:</P><P>- after entering the&nbsp;&nbsp;Configuration Portal IP I am prompted to logon</P><P>- after the portal logon is successful I am prompted to authenticate on the&nbsp;Configuration Portal gateway after entering the username and password I am connected. No prompts for the second factor authentication and no captive portal is opening but it's connecting successfully.&nbsp;</P><P>What am I doing wrong?</P><P>Anyone had the similar issue?</P><P>Any advice would be highly appreciated.</P><P>Thanks</P> Sat, 05 Mar 2022 02:43:26 GMT netgirl 2022-03-05T02:43:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mfa-with-kerberos-and-rsa/m-p/470647#M2545 <P>Hello everyone, Palo Alto noobie here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I am trying to configure GlobalProtect VPN with MFA authentication using Kerberos authentication protocol against AD and RSA hard tokens.<BR />I have configured the GlobalProtect portal and gateway using different loopbacks. For the portal authentication I am using only Kerberos while for the gateway authentication I intent to use MFA (Kerberos + RSA)</P><P>In order to configure MFA for the VPN gateway I did the following:</P><P>1. Created MFA server Profile with MFA Vendor: RSA SecurID Access</P><P>2. Linked the MFA server profile to the Authentication profile: Authentication: Kerberos Server profile, Factors: MFA server profile</P><P>3. Enabled Captive Profile with the authentication profile described above, and redirect host uses the same loopback as&nbsp;GlobalProtect portal.</P><P>4. Created interface management with response pages and user-ID</P><P>5. Linked&nbsp;interface management profile with the loopback used for&nbsp;GlobalProtect portal and captive portal</P><P>6. In the zone where&nbsp;GlobalProtect portal and captive portal are assigned, User_ID is enabled</P><P>7. Created new Autentication object: Authentcation Method:web-form Authentication Profile: one created in bullet 2</P><P>8. Created Authentication Policy: defining just source and destination zone, leaving service to any and assigning authentication enforcement to the one created in bullet 8.</P><P>9. Under GlobalProtect portal Configuration for the authentication using kerberos profile</P><P>10. Under GlobalProtect Portal Configuration under agent config:</P><P>- authentication: components that require 2FA: internal gw and external gw are checked</P><P>-app: Use SSO (win): NO,</P><P>-app: Enable inbound authentication prompts from MFA gw: YES</P><P>-app: Trusted MFA GW: IP of the RSA server</P><P>&nbsp;</P><P>After installing the GlobalProtect client from the&nbsp;Configuration Portal the situation is following:</P><P>- after entering the&nbsp;&nbsp;Configuration Portal IP I am prompted to logon</P><P>- after the portal logon is successful I am prompted to authenticate on the&nbsp;Configuration Portal gateway after entering the username and password I am connected. No prompts for the second factor authentication and no captive portal is opening but it's connecting successfully.&nbsp;</P><P>What am I doing wrong?</P><P>Anyone had the similar issue?</P><P>Any advice would be highly appreciated.</P><P>Thanks</P> Sat, 05 Mar 2022 02:43:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mfa-with-kerberos-and-rsa/m-p/470647#M2545 netgirl 2022-03-05T02:43:26Z