topic Purpose of Authen Profile under Global Protect Gateway in General Topics

Purpose of Authen Profile under Global Protect Gateway

MP18 — Sat, 03 Nov 2018 04:13:37 GMT

We have configured MFA using CP and using RSA as Second authen.

Under Network

Portal Authen--------------Radius

Gateway Authen ----------------Radius

Under Device

CP - Authen ---------RSA

Why we need Authen profile under Gateway??????????

should Authen profile under Portal and Gateway have to be same?????

Why we use same authen Radius on both

Re: Purpose of Authen Profile under Global Protect Gateway

Remo — Sat, 03 Nov 2018 15:13:12 GMT

Hi @MP18

This would give you the possibility to assign different authentication profiles for portal and gateway, but as you are using the same one for both, it makes sure that users alwaya have to login with MFA (just in case the access to the portal isn't possible for whatever reason). In this situation with a not working portal the GP clients will try to connect ditectly to the gateway.

So you have now secured the access with MFA, but to make the login process for the users a little easier (so that they don't need to log in twice for establishing the connection) you should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

Regards,

Remo

Re: Purpose of Authen Profile under Global Protect Gateway

MP18 — Sat, 03 Nov 2018 15:34:05 GMT

Hi Remo,

Always good to get reply from you.

I did not understand this

should configure authentication override with a cookie lifetime of 1 minute. This way when everything works as expected a user is required to do the MFA authentication only once.

can you please explain this in more detail?

Best Regards

Mike

Re: Purpose of Authen Profile under Global Protect Gateway

Remo — Sat, 03 Nov 2018 20:56:29 GMT

--> https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentication/about-globalprotect-user-authentication/how-does-the-agent-or-app-know-what-credentials-to-supply/cookie-authentication-on-the-portal-or-gateway

The article explain the use of cookies for authentication override and the general purpose of these. The time these cookies are valid can go up to a year but if you only want to improve the user experience while maintaining a secure as possible authentication you should configure the lifetime to only 1 minute. This way the cookie can only be used for this one minute and connection attempts after this minute need to do again the full MFA authentication.

Hope this helps.