https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201237#M59499 <P>This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication#id01590369-93b6-48be-8928-eac0ade51d5d" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication#id01590369-93b6-48be-8928-eac0ade51d5d</A></P><P>&nbsp;</P> Mon, 19 Feb 2018 23:40:09 GMT Remo 2018-02-19T23:40:09Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201154#M59477 <P>Is there a way to configure MFA and OTP for administrative access. The company wants to comply with new standards and i didn't see way do it for local access. It is only mentioned how to do it for global protect vpn&nbsp;users.</P> Mon, 19 Feb 2018 16:52:31 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201154#M59477 SecurityConsultant 2018-02-19T16:52:31Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201163#M59479 <P>I dont think you can, someone else may know better but was looking the other day at adding MFA to amin login and can only add an MFA device in the "factors" tab of the server profile...</P><P>&nbsp;</P><P>for this "Factors" tab PAN state the following....</P><P>&nbsp;</P><P><FONT color="#000000" face="Calibri" size="3">Additional authentication factors are supported for end-user authentication through Authentication Policy only. Additional factors <U>are not supported</U> for remote user authentication to GlobalProtect portals and gateways <U>or for administrator authentication to the PAN-OS or Panorama web interface</U>. Although you can configure additional factors, they will not be enforced for these use cases. You can, however, integrate with MFA vendors using RADIUS or SAML for all authentication use cases.</FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><FONT color="#000000" face="Calibri" size="3">Bummer!!!!</FONT></P> Mon, 19 Feb 2018 17:44:25 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201163#M59479 Mick_Ball 2018-02-19T17:44:25Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201191#M59490 <P>Exactly, the possibilities you have are RADIUS or SAML. SAML is great but cannot be used for SSH login (compared to RADIUS).</P><P>Or a completely different approach is if your PAN management interfaces are located behind a PaloAlto Firewall. This way you could enforce the integrated MFA with captive portal and only when a user is successfully authenticated there he will be able to see the admin webinterface. On the admin webinterface you can then stay with username/password as the additional factor was already entered.</P> Mon, 19 Feb 2018 20:04:24 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201191#M59490 Remo 2018-02-19T20:04:24Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201219#M59493 <P>I didn't get what you meant by the management interfaces are behind the PAN. I use the dedicated management interface and the loopback to access the FW.&nbsp; How to configure the MFA and the captive portal. Do you mean the MFA under the servers profiles.</P><P>Can you please share how to configure it.</P><P>thanks in advance</P> Mon, 19 Feb 2018 22:04:35 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201219#M59493 SecurityConsultant 2018-02-19T22:04:35Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201225#M59494 <P>What I meant was if you have a dedicated management network which which is located behind another PaloAlto Networks Firewall and in this management network you have the management ports of your firewall(s).</P><P>&nbsp;</P><P>But may be we should start with what you already have and what you want to improve. As you wrote you want MFA access for the firewall webinterface.</P><OL><LI>Do you use local users or are they somewhere in a directory?</LI><LI>What authentication method are you using right now?</LI><LI>Do you already have MFA software which you use for other purposes (globalprotect, SAML IdP, Citrix access, ...)?</LI><LI>Are you talking about the managemebt webinterface of one firewall (cluster) or some more firewalls?</LI><LI>Do you already have dedicated managementnetworks, maybe for network devices or virtualization infrastructur or something else?</LI></OL> Mon, 19 Feb 2018 22:38:34 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201225#M59494 Remo 2018-02-19T22:38:34Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201229#M59497 <OL><LI>Do you use local users or are they somewhere in a directory? <STRONG>both of them</STRONG></LI><LI>What authentication method are you using right now? <STRONG>just AD credentials</STRONG></LI><LI>Do you already have MFA software which you use for other purposes (globalprotect, SAML IdP, Citrix access, ...)? <STRONG>No</STRONG></LI><LI>Are you talking about the managemebt webinterface of one firewall (cluster) or some more firewalls? <STRONG>one cluster</STRONG></LI><LI>Do you already have dedicated managementnetworks, maybe for network devices or virtualization infrastructur or something else? <STRONG>No&nbsp;</STRONG></LI></OL><P><STRONG>Our customer already has an F5 VPN solution, were they MFA once the VPN client accesses. They added a radius server which is integrated with an OTP server(Azure) and that is working. Can this be done the same for Palo Admin access and if yes how to configure it?</STRONG></P> Mon, 19 Feb 2018 23:01:55 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201229#M59497 SecurityConsultant 2018-02-19T23:01:55Z https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201237#M59499 <P>This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication#id01590369-93b6-48be-8928-eac0ade51d5d" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication#id01590369-93b6-48be-8928-eac0ade51d5d</A></P><P>&nbsp;</P> Mon, 19 Feb 2018 23:40:09 GMT https://live.paloaltonetworks.com/t5/general-topics/two-factor-token-based-2fa-authentication-mechanism-for/m-p/201237#M59499 Remo 2018-02-19T23:40:09Z