topic Re: Global Protect MFA Vendor Support in General Topics

Global Protect MFA Vendor Support

BatD — Fri, 09 Aug 2019 12:18:20 GMT

I am a bit confused with the MFA vendor supported by the firewall, because the Compatibility Matrix says that MFA server profile is not supported for Global Protect?

https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.html#

I am aware that any MFA vendor can be configure over Radius Server, but presuming that we don’t use Radius , and we get one 4 supported vendors, e.g. RSA SecureID, can client–based and clientless GlobalProtect be configured with LDAP and 2FA?

Re: Global Protect MFA Vendor Support

OtakarKlier — Fri, 09 Aug 2019 19:43:08 GMT

Hello,

Yes this should be possible.

https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications.html

Regards,

Re: Global Protect MFA Vendor Support

BatD — Mon, 12 Aug 2019 07:54:39 GMT

@OtakarKlier Thank you for responding.

The article is not quite clear, but it is in fact hinting (under Step1) that only Radius based authentictaion is possible:

"If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient."

It will be great if someone tried it and can share experience. I don't want to advise the customer to sign up for one of 4 vendors, if then they will not work GlobalProtect.

Re: Global Protect MFA Vendor Support

nimark — Wed, 14 Aug 2019 06:51:40 GMT

Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles).

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message).

A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).

Hope this helps!

Re: Global Protect MFA Vendor Support

BatD — Wed, 14 Aug 2019 08:08:09 GMT

@nimark Thank you, this calrifies it better

Re: Global Protect MFA Vendor Support

MP18 — Sun, 22 Sep 2019 15:30:28 GMT

can someone please explain below in more detail

Re: Global Protect MFA Vendor Support

TomYoung — Sat, 21 Aug 2021 22:16:28 GMT

This post has long been solved, but for future onlookers this table is awesome to see what use cases and protocols can be used for MFA support. https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.html