topic Re: Radius & OTP Globalprotect VPN in General Topics

Radius & OTP Globalprotect VPN

jdprovine — Mon, 25 Jun 2018 15:20:30 GMT

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

Re: Radius & OTP Globalprotect VPN

OtakarKlier — Mon, 25 Jun 2018 18:54:31 GMT

Hello,

Are you stating you wish to do 3 authentication methods?

RADIUS -> OTP ->LDAP

I would say that the OTP is your most secure and the LDAP and/or radius would be backup.

Regards,

Re: Radius & OTP Globalprotect VPN

jdprovine — Mon, 25 Jun 2018 19:23:43 GMT

@OtakarKlier

LOL, I guess that would be 3 factor indeed, as requested by my coworker and based on how it was set up on an ASA 5510 thant I am trying to replace. So do you think it is possible?

Re: Radius & OTP Globalprotect VPN

jdprovine — Mon, 25 Jun 2018 20:19:26 GMT

@OtakarKlier

Actually I think that the Radius is serving out the OTP, I will have to check with the guy who is working on that portion of the VPN access

Re: Radius & OTP Globalprotect VPN

OtakarKlier — Mon, 25 Jun 2018 21:06:50 GMT

So OTP on the PAN is setup as radius. If its just OTP then LDAP that is 100% doable. In the past I just made the Portal Authentication the OTP and Gateway authentication LDAP. I havent tried the Multi-Factor Auth feature or the Authentication sequence.

Re: Radius & OTP Globalprotect VPN

jdprovine — Tue, 26 Jun 2018 12:38:26 GMT

Correct the server that we created to do radius also has OTP on it and I have created a server profile for it. So what I need to know is do you set up radius for the portal and LDAP for the gateway or what combination does it have to be, which is what it sounds like you did? So does that mean they have to enter a username and password twice?

Re: Radius & OTP Globalprotect VPN

OtakarKlier — Tue, 26 Jun 2018 13:34:29 GMT

Hello,

So when i was doing it, our OTP solution was an actual hand held time based token that a user had to enter the pin+code. So in this scenario, yes the user had to enter their username twice, once for each popup box.

Since then there have been some improvements:

https://live.paloaltonetworks.com/t5/Integration-Articles/GlobalProtect-One-Time-Password-based-Two-Factor-Authentication/ta-p/155234

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentication/set-up-two-factor-authentication/enable-two-factor-authentication-using-one-time-passwords-otps#ided3529d7-1b3c-442e-b877-2bf2cd32d7d4

If your OTP is one of hte ones listed in the MultiFactor Authentication, the user experience should be different.

Hope this helps.

Re: Radius & OTP Globalprotect VPN

jdprovine — Tue, 26 Jun 2018 14:51:05 GMT

@OtakarKlier

Yes we do OTP on other things the same way with the a code generator. I suspect our users will be prompted to long in twice as well and at this point we are limited to what 7.1.16 offers us since I have not had the time to upgrade to version 8 of the OS yet

Re: Radius & OTP Globalprotect VPN

jambulo — Tue, 26 Jun 2018 15:47:08 GMT

I would do...

- LDAP only on the Portal

- RADIUS(OTP) on the Gateway

...Enabling 2-factor on the Portal may cause your users to have to enter in a OTP even when on your internal network. Is your OTP solution capable of authenticating LDAP as well? (ex. LDAP+OTP over the RADIUS protocol).

Re: Radius & OTP Globalprotect VPN

jdprovine — Tue, 26 Jun 2018 15:53:51 GMT

@jambulo

No my radius server for the OTP is not setup for LDAP and I don't believe it is capable of doing LDAP I am not really sure I would have to talk to the one who configured it.

We currently have this configuration set up using an ASA 5510 firewall, but it is going end of life so we are trying to replace it with a globalprotect VPN and that hits Radius/OTP followed by LDAP and we do want them to enter OTP even when on the internal network

Re: Radius & OTP Globalprotect VPN

jdprovine — Tue, 26 Jun 2018 16:36:52 GMT

It also looks, if i am reading it right, that you can configure it so it only makes you do the OTP login at the portal and passes the information encrypted , via cookie?, to the gateway

Re: Radius & OTP Globalprotect VPN

Mick_Ball — Tue, 26 Jun 2018 18:14:29 GMT

Yes we use cookie auth with OTP.

it saves the user entering twice, plus, the user will have to wait the set time for a new passcode to be generated, depending on OTP system. We do not allow passcode re-use.

also note that you are stuffed if the portal is unavailable for any reason and your GP client uses last known cached config.

for what you require i would go Ldap for portal and OTP for gateway, this is assuming you have 3 factors for OTP.

something you are, have and know vs ldap, something you are and know.

Re: Radius & OTP Globalprotect VPN

jdprovine — Tue, 26 Jun 2018 19:53:13 GMT

@OtakarKlier

I checked with the server builder and apparrently twe do have radius,OTP and LDAP on the same server so we are good. I have most everything configured now so on to testing

Re: Radius & OTP Globalprotect VPN

OtakarKlier — Tue, 26 Jun 2018 21:18:11 GMT

Good to hear. Also all traffic that the GP client passes after its initial contact with the Portal interface is encrypted. There are many ways to do this like Mich mentioned. Just depepnds on what you want to do and what the customer experience is.