topic Re: Dual Factor Authenticatin for Global Protect - possible? in General Topics

Dual Factor Authenticatin for Global Protect - possible?

darren_g — Tue, 13 Sep 2016 04:10:09 GMT

Folks.

Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication?

Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term.

Is this possible? Any pointers to guides anywhere?

Thanks

Re: Dual Factor Authenticatin for Global Protect - possible?

reaper — Tue, 13 Sep 2016 07:40:41 GMT

have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows

Re: Dual Factor Authenticatin for Global Protect - possible?

bgmncwj — Tue, 13 Sep 2016 13:14:13 GMT

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.

Re: Dual Factor Authenticatin for Global Protect - possible?

bbilut — Tue, 13 Sep 2016 17:37:52 GMT

Is any doing any OTP dual factor setups. It would be cool to somehow use Google Authenticator as a second factor.

Re: Dual Factor Authenticatin for Global Protect - possible?

darren_g — Wed, 14 Sep 2016 00:22:30 GMT

@reaper wrote:
have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows

Yes, I have - but that's not really dual factor authentication in the context I'm using.

Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in.

With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token.

Re: Dual Factor Authenticatin for Global Protect - possible?

darren_g — Wed, 14 Sep 2016 00:25:59 GMT

@bgmncwj wrote:
We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.

That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer.