topic Re: On demand GP MFA with manage engine identity 360 and NPS server in GlobalProtect Discussions

On demand GP MFA with manage engine identity 360 and NPS server

K.Mishra548222 — Tue, 07 Oct 2025 06:33:06 GMT

The current setup for User VPN Connection requires users to log in using their email address as the username and OTP from google authenticator as the password.

For VPN Client Verification, we would like to update the configuration to include password-based authentication for each user.

Example: User logs in with their email address (username) and password.
After successful authentication, the user is then prompted to enter the OTP code received via the authenticator app
User is created on identity 360 and its client upload on NPS sever and radius server and authentication profile is configured on GP.
How I achieve Username + password + OTP
currently Username + OTP only

Re: On demand GP MFA with manage engine identity 360 and NPS server

JayGolf — Fri, 10 Oct 2025 04:45:17 GMT

Hi @K.Mishra548222 ,

Currently, users log in to GlobalProtect using username + OTP, and you’d like to move to username + password, followed by OTP.

To achieve this, you’ll need to add password validation on the NPS server before the OTP challenge. The NPS server will handle both the username/password verification and the OTP challenge, while the Palo Alto firewall simply points to the NPS server via the server profiles you create and attach to the GP portal/gw, and forwards the authentication requests.

Make sure your NPS server or RADIUS plugin supports multi-factor (password + OTP) authentication, such as the Google Authenticator RADIUS plugin or a similar MFA extension.