https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23192#M16898 <HTML><HEAD></HEAD><BODY><P>Something like this?</P><P></P><P><A href="http://nordicedge.com/paloalto/" title="http://nordicedge.com/paloalto/"> Strong authentication for Palo Alto Secure Access SSL VPN Solutions | Nordic Edge | The Provider of Secure Identity Solutions</A></P></BODY></HTML> Tue, 10 Jul 2012 17:34:03 GMT mikand 2012-07-10T17:34:03Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23191#M16897 <HTML><HEAD></HEAD><BODY><P>I am looking for a two factor authentiction solution for PAN firewalls (Global Protect).&nbsp; particularly interested in a Mobile phone base app to provide security token or OTP to authenticate users via Global Protect.&nbsp; Anybody have any good or bad experiences with these?</P></BODY></HTML> Tue, 10 Jul 2012 16:49:45 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23191#M16897 sns.jon 2012-07-10T16:49:45Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23192#M16898 <HTML><HEAD></HEAD><BODY><P>Something like this?</P><P></P><P><A href="http://nordicedge.com/paloalto/" title="http://nordicedge.com/paloalto/"> Strong authentication for Palo Alto Secure Access SSL VPN Solutions | Nordic Edge | The Provider of Secure Identity Solutions</A></P></BODY></HTML> Tue, 10 Jul 2012 17:34:03 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23192#M16898 mikand 2012-07-10T17:34:03Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23193#M16899 <HTML><HEAD></HEAD><BODY><P>I tested RSA via Radius for our vpn a few months back on 4.1.3-.4 and while I was able to get authentication working, it was not a very supportable setup.&nbsp; </P><P></P><P>The globalprotect client sends the same password for the portal and the gateway when connecting. This caused big issues since rsa passcodes are only good for one use. It was extremely easy to lock out a users account on the rsa server if you miskeyed a passcode more than once on a connect attempt.&nbsp; Also the user had to log in once, then wait for the 2nd logon up to 59 seconds until the token cycled to the next code, before being able to connect.</P><P></P><P>The workaround for this was to use AD authentication for the portal and have the users first log in with the AD credentials, then when prompted for a 2nd logon for the gateway the user would use the RSA credentials.&nbsp; Another workaround that was proposed by support was to make the portal unreachable via the internet to force the globalprotect client to use the last cached configuration and eliminate the portal logon piece of the process when connecting remotely.&nbsp; Since I had to set up users that were 100% remote I went with the first workaround so they could get to the portal remotely.</P><P></P><P>After testing with some of my users we decided to stick with our existing vpn setup until the PA solution matures a bit more to avoid the headache of dealing with users constantly being confused about which password to enter.</P><P></P><P>The last I heard from PA support,&nbsp; real one time password support was not expected to happen any time soon.&nbsp; Seeing the link provided above, I wonder if something has changed recently.</P></BODY></HTML> Tue, 10 Jul 2012 18:28:09 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23193#M16899 kcbrown 2012-07-10T18:28:09Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23194#M16900 <HTML><HEAD></HEAD><BODY><P>thanks for the input. good info...</P></BODY></HTML> Tue, 10 Jul 2012 19:01:24 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23194#M16900 sns.jon 2012-07-10T19:01:24Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23195#M16901 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>For better user experience, maybe we can use SSO for GP Portal and GP Gateway authentication (transparent for users) and use OTP on Captive Portal to go from "Grobal Protect" zone to the "protected ressources" zone.</P><P>By this way, we have only one visible authentication (for the user) : OTP</P><P></P><P>That's wrong or not?</P></BODY></HTML> Thu, 25 Oct 2012 09:38:21 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23195#M16901 fverstraete 2012-10-25T09:38:21Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23196#M16902 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">the RSA/GP solution is not enterprise ready to say the least.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">My recommendation if you want to move with this LDPAP auth the portal, RSA the gateway its horrible technically but as close as you will get with out a certificate server</P></BODY></HTML> Thu, 17 Jan 2013 23:47:08 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-authenticaton-tokens-with-pan-firewalls/m-p/23196#M16902 kkeeton 2013-01-17T23:47:08Z