topic Radius + RSA SecurID on premises in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-rsa-securid-on-premises/m-p/562115#M4521 <P>Hello Folkes,</P> <P>&nbsp;</P> <P>I am demoing a PA-1410 and am having a use case problem.</P> <P>&nbsp;</P> <P>We currently use Pulse Secure VPN concentrators, and are looking for an alternative due to past security issues..</P> <P>&nbsp;</P> <P>The Pulse concentrator works to allow us to:</P> <P>&nbsp;</P> <P>- Login w/ Radius Username + Password</P> <P>- Then get a secondary MFA login to authenticate against an RSA ACE server for our second factor.</P> <P>- This setup allows the Pulse concentrator to broker both pieces of the auth process.</P> <P>&nbsp;</P> <P>The Palo device appears to not support on-premises MFA for SecurID, only cloud based.</P> <P>&nbsp;</P> <P>The person who administers the RSA SecurID server tells me that if he enables the radius server on the RSA application, then all connections that authenticate through that server will require two factor. (It is an all or nothing approach)</P> <P>&nbsp;</P> <P>Our environment requires that we have classes of authentication. We want certain external connected type devices to require two factor (The VPN concentrators would be one) and with internal connections we want to authenticate against the radius server only.</P> <P>&nbsp;</P> <P>I think that I can configure free-radius to do this with a proxied connection to the RSA server with certain auth groups, but I'm not sure. The documentation on this is rather weak.</P> <P>&nbsp;</P> <P>Does anyone have any experience with this problem space? &nbsp;Can you point me to some documentation?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Paul Diggins</P> <P>&nbsp;</P> Tue, 17 Oct 2023 17:02:32 GMT pbdiggins 2023-10-17T17:02:32Z Radius + RSA SecurID on premises https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-rsa-securid-on-premises/m-p/562115#M4521 <P>Hello Folkes,</P> <P>&nbsp;</P> <P>I am demoing a PA-1410 and am having a use case problem.</P> <P>&nbsp;</P> <P>We currently use Pulse Secure VPN concentrators, and are looking for an alternative due to past security issues..</P> <P>&nbsp;</P> <P>The Pulse concentrator works to allow us to:</P> <P>&nbsp;</P> <P>- Login w/ Radius Username + Password</P> <P>- Then get a secondary MFA login to authenticate against an RSA ACE server for our second factor.</P> <P>- This setup allows the Pulse concentrator to broker both pieces of the auth process.</P> <P>&nbsp;</P> <P>The Palo device appears to not support on-premises MFA for SecurID, only cloud based.</P> <P>&nbsp;</P> <P>The person who administers the RSA SecurID server tells me that if he enables the radius server on the RSA application, then all connections that authenticate through that server will require two factor. (It is an all or nothing approach)</P> <P>&nbsp;</P> <P>Our environment requires that we have classes of authentication. We want certain external connected type devices to require two factor (The VPN concentrators would be one) and with internal connections we want to authenticate against the radius server only.</P> <P>&nbsp;</P> <P>I think that I can configure free-radius to do this with a proxied connection to the RSA server with certain auth groups, but I'm not sure. The documentation on this is rather weak.</P> <P>&nbsp;</P> <P>Does anyone have any experience with this problem space? &nbsp;Can you point me to some documentation?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Paul Diggins</P> <P>&nbsp;</P> Tue, 17 Oct 2023 17:02:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-rsa-securid-on-premises/m-p/562115#M4521 pbdiggins 2023-10-17T17:02:32Z