https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345315#M360 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96633">@rdonohoe23</a>&nbsp;Hi Rob,</P><P>&nbsp;</P><P>Please share the solution guide.</P> Tue, 25 Aug 2020 07:10:13 GMT OsamaKhan 2020-08-25T07:10:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345137#M354 <P>Hi Guys,</P><P>&nbsp;</P><P>I want to achieve 2FA for SSLVPN user, for 2FA the vendor is SafeNet.</P><P>Does Palo Alto supports SafeNet for 2FA and if does how can we Configure it.</P><P>&nbsp;</P><P>Many thanks in advance.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Osama.</P> Mon, 24 Aug 2020 08:09:35 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345137#M354 OsamaKhan 2020-08-24T08:09:35Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345144#M355 <P>HI Mate,&nbsp;</P><P>I hope you are well. SafeNet works well with globalprotect. We can use it via SAML or RADIUS. I use it for RADIUS in a lab to demonstrate the integration.&nbsp;</P><P>I use the RADIUS method, I will upload a solutions guide for same asap.&nbsp;</P><P>cheers</P><P>Rob&nbsp;</P> Mon, 24 Aug 2020 08:51:58 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345144#M355 rdonohoe23 2020-08-24T08:51:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345183#M356 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96633">@rdonohoe23</a>&nbsp;&nbsp;</P><P>&nbsp;</P><P>I am also using Radius for authentication please send the solution guide.</P> Mon, 24 Aug 2020 13:16:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345183#M356 OsamaKhan 2020-08-24T13:16:32Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345315#M360 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96633">@rdonohoe23</a>&nbsp;Hi Rob,</P><P>&nbsp;</P><P>Please share the solution guide.</P> Tue, 25 Aug 2020 07:10:13 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/345315#M360 OsamaKhan 2020-08-25T07:10:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/351345#M434 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/116059">@OsamaKhan</a>&nbsp;wrote:<BR /><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96633">@rdonohoe23</a>&nbsp;Hi Rob,&nbsp;<FONT size="1 2 3 4 5 6 7" color="#800000"><A title="TellDunkin" href="https://www.telldunkin.me/" target="_blank" rel="noopener"><FONT color="#800000">TellDunkin</FONT></A></FONT></P><P>&nbsp;</P><P>Please share the solution guide.</P><HR /></BLOCKQUOTE><P>Thank you for sharing your knowledge.</P> Wed, 23 Sep 2020 05:55:35 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/351345#M434 CrazyPiglet 2020-09-23T05:55:35Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/351398#M436 <P>&nbsp;</P><P>Hi Team,&nbsp;</P><P>Apologies about the delay, and thanks for the reminder email. Some screenshots from a lab environment. It is used to authenticate an administrator in this example, but can be just as easy to reference the radius authentication profile in GP configs. The screenshots best read from the bottom up <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> whatever way they pasted in.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="token-policies.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27879i07DD5FEB3EBFE183/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="token-policies.PNG" alt="token-policies.PNG" /></span></P><P>I have biometric checkbox checked here. Means if phone has biometric, the tokens will have option to use that also. Enabled in a home lab environment. Biometric authentication should be researched when considering as an authentication method in production.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="administrator.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27877iD8A9F72CDB98F19A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="administrator.PNG" alt="administrator.PNG" /></span></P><P>that's the administrator we will authenticate using the radius authentication profile.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="radius-server-profile.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27878i26A20AC3CEC4EC30/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="radius-server-profile.PNG" alt="radius-server-profile.PNG" /></span></P><P>the above is the radius authentication profile.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic-log.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27880i062D8BC14D9A08B5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="traffic-log.PNG" alt="traffic-log.PNG" /></span></P><P>We will want to see these logs, and have rules for same. The default interface this traffic will use is the mgt interface. I have a set service route to use a LAN internal interface as service route.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thales-radius-autnode.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27881iBB45C064BF832324/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thales-radius-autnode.PNG" alt="thales-radius-autnode.PNG" /></span></P><P>STA auth node set up is above.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="radius-palo.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27882i2BD355CF010063E3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="radius-palo.PNG" alt="radius-palo.PNG" /></span></P><P>&nbsp;</P><P>the above is the radius server profile.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user-store.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27884iCD57C29D27567310/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="user-store.PNG" alt="user-store.PNG" /></span></P><P>these are local test users on the STA</P><P>&nbsp;</P><P>best regards</P><P>&nbsp;</P><P>Rob&nbsp;</P> Wed, 23 Sep 2020 09:54:37 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-for-sslvpn-user/m-p/351398#M436 rdonohoe23 2020-09-23T09:54:37Z