topic Re: 2FA on both portal and gateway in General Topics

2FA on both portal and gateway

jdprovine — Fri, 07 Sep 2018 13:21:53 GMT

If you have two factor auth on the portal and the gateway without using the cookie or passing the auth from the portal to the gateway will it ask you to authenticate twice?

Re: 2FA on both portal and gateway

BPry — Fri, 07 Sep 2018 16:12:10 GMT

Yes

Re: 2FA on both portal and gateway

jdprovine — Fri, 07 Sep 2018 16:58:17 GMT

@BPry

Makes sense that it would, but I can pass the authentication if I choose the cookie option can't I? I be that is what the native clients are not getting the routing information from the gateway cause they are only asked to authenticate once

Re: 2FA on both portal and gateway

Mick_Ball — Fri, 07 Sep 2018 19:17:10 GMT

Hi @jdprovine, hope you are well...

I dont think, in fact im pretty sure that native clients do not use the portal, they connect directly to the gateway.

so either i have got that wrong or you are having some other issues with routing info...

Re: 2FA on both portal and gateway

jdprovine — Fri, 07 Sep 2018 19:26:36 GMT

@Mick_Ball

hope you are doing well too....

Well I had never thought of that, interesting. Do you know the technical reason why? Seems like if it went to the gateway it should get the route information

Re: 2FA on both portal and gateway

BPry — Fri, 07 Sep 2018 19:36:41 GMT

@jdprovine,

Not really a technical answer, but IPSec deployments are never implemented the same across devices. The firewall will only send route infromation in a certain manner, whether the end-device has been programmed to accept the route as given is a different story. Most vendors won't take the time to implement every single possible method and don't generally keep up with the changes made throughout all the different implementations. This is why VPN clients are offered; they can ensure that they are both passing/expecting the proper information.

I'm fairly positive that @Mick_Ball is correct in the fact that native clients do not utilize the portal in the connection process.

Re: 2FA on both portal and gateway

Mick_Ball — Sat, 08 Sep 2018 07:36:13 GMT

Spot on @BPry.

Re: 2FA on both portal and gateway

jdprovine — Mon, 10 Sep 2018 14:18:45 GMT

@BPry @Mick_Ball

So I have both radisu and OTP enabled on the gateway and the portal do I need it on both

Re: 2FA on both portal and gateway

Mick_Ball — Mon, 10 Sep 2018 16:57:36 GMT

ooer... this could get confusing...

for native clients, just the gateway but if you have GP clients then you will also need it on the portal.

having it on both without cookie.... well it's an OTP so it cannot be used again for the gateway, thats why the authentication overide (cookie stuff)is there

Re: 2FA on both portal and gateway

BPry — Tue, 11 Sep 2018 00:23:01 GMT

So about these cookies .....

In all seriousness in your situation @jdprovine I would really recommend that you keep OTP on both and then just enable authentication override so that users don't have to enter the OTP twice.

Re: 2FA on both portal and gateway

jdprovine — Tue, 11 Sep 2018 12:52:32 GMT

@BPry

coooookkkkiiiieee. Love the cookie monster picture. So how will authentication override affect those user using the native client?

Re: 2FA on both portal and gateway

jdprovine — Tue, 11 Sep 2018 12:56:40 GMT

@BPry

So application override is set in the portal and then the information is passed onto the gateway? Course I am only going to do based on the affect it has on the native client

Re: 2FA on both portal and gateway

BPry — Tue, 11 Sep 2018 13:21:36 GMT

@jdprovine,

So the authentication override doesn't come into play with the Native clients, because they are only connecting to the gateway. Where the authentication override will come into play is when the GP agents login they will then only need to enter the OTP once when you get cookie Auth properly setup.

Re: 2FA on both portal and gateway

jdprovine — Tue, 11 Sep 2018 13:27:14 GMT

@BPry

So do you select generate cookie for the overide on the portal and accept cookie on the gateway? It make even less sense that the native client doesn't get the routes from the gateway since is connecte directly to it

Re: 2FA on both portal and gateway

BPry — Tue, 11 Sep 2018 14:06:11 GMT

@jdprovine,

So the primary issue with expecting Native Clients to handle route information properly... When most clients (95%+) are unable to understand received route information they will generally fall-back to their default of 0.0.0.0/0, sending everything through the established tunnel. Just to verify, are you seeing the native clients route everything through the tunnel or are you getting nothing through the tunnel?

This has always been a downside of using native clients, and why most vendors have moved away from them. You simply can't anticipate how others will implement things so stuff will always break as one side or the other makes changes. Now that most vendors are using agents it's even less of a concern for most, as most people will never even notice if it's broken. This essentially boils down to the fact that IPSec implementations really don't follow a set standard, they never have.

Re: 2FA on both portal and gateway

jdprovine — Tue, 11 Sep 2018 14:25:12 GMT

@BPry

They don't route everything but they do route too much but they also don't route the network they were created to access. But the main point that I am trying to get across to the users who don't want the client for some reason, can't expect it to work the same as the globalprotect. If it sheds any light we are talk about mac users LOL 😉