https://live.paloaltonetworks.com/t5/general-topics/global-protect-mfa-with-google-authenticator/m-p/549467#M112119 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/287184">@SandipKumbhar</a> ,</P> <P>&nbsp;</P> <P>PAN-OS does not support Google MFA natively -&gt; <A href="https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table#id17CBB0W095Z" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table#id17CBB0W095Z</A>.</P> <P>&nbsp;</P> <P>One solution that you can use is a RADIUS server that supports both LDAP and Google TOTP, e.g. <A href="https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/" target="_blank">https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/</A>.&nbsp; I just Googled that one.&nbsp; I have not used it.</P> <P>&nbsp;</P> <P>On the NGFW, all you do is configure the RADIUS server for GlobalProtect.&nbsp; Check out the diagram in the 2nd URL.&nbsp; If you do not want users to get prompted twice for MFA (portal and gateway), you can (1) enable authentication cookies or (2) use RADIUS for the portal and LDAP for your gateway.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 Jul 2023 01:49:16 GMT TomYoung 2023-07-17T01:49:16Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-mfa-with-google-authenticator/m-p/549370#M112094 <P>Dear Team,&nbsp;</P> <P>&nbsp;</P> <P>Please help me understand can we configure TOTP Google Authenticator(Free) for Global Project VPN users&nbsp;</P> <P>we have configured Global Protect VPN with AD authentication and want to configure the above solution.</P> <P>&nbsp;</P> <P>Thanks in Advance&nbsp;</P> <P>&nbsp;</P> <P>Regards&nbsp;</P> <P>Sandip Kumbhar</P> Fri, 14 Jul 2023 11:50:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-mfa-with-google-authenticator/m-p/549370#M112094 SandipKumbhar 2023-07-14T11:50:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-mfa-with-google-authenticator/m-p/549467#M112119 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/287184">@SandipKumbhar</a> ,</P> <P>&nbsp;</P> <P>PAN-OS does not support Google MFA natively -&gt; <A href="https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table#id17CBB0W095Z" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table#id17CBB0W095Z</A>.</P> <P>&nbsp;</P> <P>One solution that you can use is a RADIUS server that supports both LDAP and Google TOTP, e.g. <A href="https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/" target="_blank">https://sysopstechnix.com/enable-2fa-on-freeradius-with-openldap-users/</A>.&nbsp; I just Googled that one.&nbsp; I have not used it.</P> <P>&nbsp;</P> <P>On the NGFW, all you do is configure the RADIUS server for GlobalProtect.&nbsp; Check out the diagram in the 2nd URL.&nbsp; If you do not want users to get prompted twice for MFA (portal and gateway), you can (1) enable authentication cookies or (2) use RADIUS for the portal and LDAP for your gateway.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 Jul 2023 01:49:16 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-mfa-with-google-authenticator/m-p/549467#M112119 TomYoung 2023-07-17T01:49:16Z