topic Re: GP- AD auth and SMS through ext radius in General Topics

GP- AD auth and SMS through ext radius

GeorgiosFakis — Fri, 06 Sep 2019 11:54:21 GMT

Hi all ,

Has anyone accomplished to authenticate external users 1st with AD through LDAP profile and then SMS through radius to another server ?

I guess 1st authentication will done in the portal and SMS auth profile can be added on the gateway ?

Re: GP- AD auth and SMS through ext radius

Mick_Ball — Fri, 06 Sep 2019 15:03:08 GMT

That would work but the only issue would be if the portal was unavailable... the GP client would used last cached gateway info and user would only require SMS auth to gateway.

Re: GP- AD auth and SMS through ext radius

GeorgiosFakis — Sat, 07 Sep 2019 12:45:09 GMT

thank you , so if I want to have the 2nd factor authentication like mentioned how is going to be configured ? 2 auth profiles in one auth sequence attached to both portal and gateway ?

Re: GP- AD auth and SMS through ext radius

Mick_Ball — Sat, 07 Sep 2019 13:32:38 GMT

No, this cannot be done, the auth sequence will finish when the first in the list succeeds.

the closest option without using a purpose built MFA is LDAP or Radius combined with certificate..

Re: GP- AD auth and SMS through ext radius

GeorgiosFakis — Fri, 20 Sep 2019 15:50:05 GMT

Can I have LDAP profile to authenticate users against AD for the portal and then use authentication profile with RADIUS for SMS token delivery for the gateway ?

Re: GP- AD auth and SMS through ext radius

Mick_Ball — Fri, 20 Sep 2019 17:28:28 GMT

Yes you can do that.

but just be aware...

if the portal ever becomes unavailable the local client will use the last known portal config and attempt to connect to the gateway directly, so only passcode will be required... this may also be confusing for users as they will not know if to use password or passcode...

why do you feel you need both ?

does your sms passcode also require a username and PIN?

Re: GP- AD auth and SMS through ext radius

GeorgiosFakis — Fri, 20 Sep 2019 17:32:44 GMT

I have multiple gateways and that means that Firewalls that have the portals they don't have the gateways and the firewalls with the gateways they don't have any portals .

I tried to attach LDAP-AD profile that works in the portal and the profile for the SMS provider to the gateways which I have configured the firewalls to send vs source-ip only. But doesn't work because it seems that app sends the ad password as passcode since I get SMS that my account is locked but if I do the opposite and I use the SMS auth in the Portal and the LDAP-AP profile in the gateway then I get SMS , I put that since I am getting prompted and then auth fail with no reason but I suspect that this SMS passcode is being used in the gateway .

Re: GP- AD auth and SMS through ext radius

Mick_Ball — Fri, 20 Sep 2019 18:49:19 GMT

What do you have in network/portal/config/authentication/save user credentials.

Re: GP- AD auth and SMS through ext radius

GeorgiosFakis — Sat, 21 Sep 2019 17:09:42 GMT

I had save user name only and I tried also with no.

Re: GP- AD auth and SMS through ext radius

MP18 — Sun, 22 Sep 2019 14:44:10 GMT

So in this config Portal and Gateway auth profile should match?

Re: GP- AD auth and SMS through ext radius

GeorgiosFakis — Sun, 22 Sep 2019 14:54:36 GMT

No , because user should put one time user/pass that will be checked against AD and then on the gateway I would like user to put one time password through another AD that delivers the SMS to user .

I made it work with Portal SMS and gateway AD credentials but I get 3 times to provide password and two of them is AD credentials .

Re: GP- AD auth and SMS through ext radius

MP18 — Sun, 22 Sep 2019 14:59:58 GMT

I am using MFA with RSA and on Portal and Gateway I have same authen profile which is AD then on Authen policy i choose

RSA and it works fine.

Seems in out setup when user logins to PC he also gets login to GP client automatically as it is always on.

Re: GP- AD auth and SMS through ext radius

RPerez11 — Fri, 20 Mar 2020 11:41:59 GMT

Hi Georgios. At the end it does work? I have a similar issue

I probe the integration between Palo Alto - Google Authenticator trough RADIUS and it works perfectly. But now I need to integrate the same with LDAP in the entire authentication process. So customer wants:

GP user opens and authenticate - User Mapping with LDAP Profile - Sends to user the authcode - login with the token

I can't fin the configuration process. Can you help me?