GP VPN dual factor auth, and contractor access.

cmateam — Mon, 02 Jul 2012 22:59:43 GMT

I have two questions regarding the Global Protect Gateway / Portal (SAN the GP Licensing)

- I am wanting to setup two factor authentication for users to authenticate to Global Protect Gateway/Portal with a (common) client certificate installed on their machine that our IT department installs. I currently have just AD authentication integrated but want to prevent personal computers from logging into the portal and downloading the software and connecting into our network (even though we place VPN traffic into another subnet seperate from our Trust and Untrust network). It also provides additional security if a user account is compromised. My question is, do I specify this at the Gateway, and then export the client cert to be installed on each individual machine. Is this a correct understanding?

-My second question is about allowing a contractor VPN into our network. Since we want to provide a common cert to our staff, I don't want to provide the same cert to a contractor. Must I create another Gateway and Portal to allow this guest to access what is needed inside our network with a completely different certificate. When this contractor is done, I can just expire the cert? Is this even possible under the GP san additional licensing? How would one accomplish this, can I create simply another portal, and certificate?

Re: GP VPN dual factor auth, and contractor access.

BrutalDismount — Tue, 03 Jul 2012 12:39:37 GMT

For certificate authentication you need only create a certificate certificate profile for each use case and add it to the portal config as well as the gateway. If you use AD integrated CA, this is a breeze using auto enrollment.

We had this same conundrum for external parties. The solution was to create another issuing/policy CA to our 3 tier architecture. Our information security department also is in charge of the root CA so this was an easy decision. Then we created a vendor portal where external users can access and request a certificate using a customized certsrv page and template. When an external party is done, we just revoke the cert and update the crl/ocsp and they are no longer able to connect. A separate portal is not entirely necessary unless you want complete segmentation. I just use AD groups and portal config to push the appropriate user to the correct gateway, as well as enable "on demand" mode.

topic Re: GP VPN dual factor auth, and contractor access. in General Topics

GP VPN dual factor auth, and contractor access.

Re: GP VPN dual factor auth, and contractor access.