topic Re: How to configure two-factor auth in GlobalProtect in General Topics

How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 14:05:39 GMT

Can someone point me to a document for configuring two-factor authentication in GlobalProtect?

Thx

Re: How to configure two-factor auth in GlobalProtect

ppatel — Tue, 02 Oct 2012 15:07:13 GMT

Hello,

You can do multi-factor by performing client cert auth in addition to authentication to your LDAP/Radius/Kerberos server.

I am not sure if you have gone through the following threads to see if it is useful:-

https://live.paloaltonetworks.com/message/10462#10462

https://live.paloaltonetworks.com/message/18731#18731

https://live.paloaltonetworks.com/docs/DOC-1934

Regards

Parth

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 15:27:24 GMT

Hi Parth,

Thanks for your reply. However, I would like to use a token for the second pass. Can I do that with GP?

Thanks,Jeff

Re: How to configure two-factor auth in GlobalProtect

ppatel — Tue, 02 Oct 2012 15:37:27 GMT

Jeff,

Yes, RADIUS (secure ID) can be used as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level

You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password as the password

Let me know if that helps.

Regards

Parth

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 15:44:03 GMT

Parth,

Let me just confirm what you said. So, I can leave my GP Portal Auth Profile as AD but, I should change my Ext Gateway Auth Profile to be the Radius Proxy Server for my token system. I'm not using SecureID, I'm using Duo Security. The only thing is that the user credentials in the Radius Proxy Server needs to be the same as they are in AD. Correct??

So, when do I get prompted for the token password? Will something pop up from the GP Client?

Thanks,
Jeff

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 22:10:23 GMT

Parth,

Is it possible to configure two GP Gateways on the same interface? I want to have one use AD for authentication for certain users and the other to use two-factor authentication for my advanced users.

Thx, Jeff

Re: How to configure two-factor auth in GlobalProtect

ppatel — Tue, 02 Oct 2012 22:17:31 GMT

Jeff,

You should be seeing the a dialogue box pop up at the gateway authentication. But as mentioned before, the username (from the AD )set for the portal authentication and the gateway should be the same as during the gateway authentication , we get a prompt to enter the one time password .

Regards

Parth

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 22:21:40 GMT

Parth,

Yes, I got that part working just fine. I just was wondering if I can create two different External Gateway profiles that use the same interface. So, I would have the GP Portal, Ext GW-1 and Ext GW-2 all bound to the same External Interface. Can I do that?

Thx, Jeff

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 22:34:10 GMT

Never mind... I just tried it and it will not allow me to do what I want. Unless, you know of another way to do it with one interface?

Re: How to configure two-factor auth in GlobalProtect

ppatel — Tue, 02 Oct 2012 22:38:07 GMT

Jeff,

I have not seen this implementation of having two gateway profiles associated to the a single gateway ip-address and am not 100% sure.

As per the tech note we can have One or more interfaces on one or more Palo Alto Networks firewalls that can be configured as gateway.

Regards

Parth

Re: How to configure two-factor auth in GlobalProtect

ppatel — Tue, 02 Oct 2012 23:18:03 GMT

Hi Jeff,

You are right, it won't work.

You definitely need to have two ip-address for the gateways.

How about adding secondary ip on the interface and assigning second gateway profile to the secondary ip-address.

Example:-

Portal ip- eth 1/3 10.30.6.54/24

eth 1/3 10.30.6.54/24 ( GW1)

10.30.6.110/32 (secondary ip) (GW2)

One gateway :- uses LDAP , tunnel.1

Another gateway :- uses Radius, tunnel.2

Should work. But will require gateway license.

Thanks

Parth

Re: How to configure two-factor auth in GlobalProtect

jwolach — Tue, 02 Oct 2012 23:52:09 GMT

Hi Parth,

I had the same idea in mind however, I can't put a secondary IP on the interface because I only have one Public IP address for that interface. But, I see that would potentially work.

Thx for all of your help!

Re: How to configure two-factor auth in GlobalProtect

kevin_thys — Fri, 26 Oct 2012 19:57:07 GMT

Hi Ppatel,

I have for GP-portal ldap with attribute mail. In Radius RSA usernames are mail addres. But doen't work, when I captured radius packets comming from PA I saw the username mail addres is changed to domain.com\user.

So summary:

Portal:

username: user1@domain.com

pwd: AD password

GW:

username send to RSA: domain.com\user1

pwd: OTP.

But I get an error from RSA because he's waiting for user1@domain.com.

Can this issue be solved? RSA users are only known by mail addres.

Regards,

Kevin

Re: How to configure two-factor auth in GlobalProtect

jcostello — Tue, 05 Aug 2014 13:45:53 GMT

Kevin

How about swapping the authentication profile for the Portal and the Gateway - RADIUS authentication on Portal and LDAP on the Gateway. RADIUS will push the user1@domain.com to the gateway and then prompt. Not the typical configuration but will still do two factor authentication.