D is for Darths.. like Darth Vader and Darth Maul... 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.
D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).
In today's video tutorial, Mitch Densley will be talking about Duo MFA.
Some of the topics that Mitch will be covering in this Video Tutorial:
Thanks for watching.
great post, thank you.
But did you try to use it for global protect VPN ?
@Zupo.si, I did not try to use this for GlobalProtect. From what I know, this will not work without a proxy.
GP cannot be integrated with Duo yet... (maybe in future releases).
I did a POC with GP using local user and Duo MFA integration, running version 8, so it's doable. I am also using this on my home lab.
I did a writeup in the beta forum, maybe I should clean it up and publish it on live, for general availability :)
Great video btw!
Hi @borising Waiting for the Link or the post at Live. Thanks..
jdelio wrote:D is for Darths.. like Darth Vader and Darth Maul.. 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication. D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication). In today's video tutorial, Mitch Densley will be talking about Duo MFA. Some of the topics that Mitch will be covering in this Video Tutorial:Create & Enroll user in Duo portalImporting Duo certificates into the firewallCreate Captive Portal (CP) CertificateCreate Certificate profile with Duo certificatesAdd Duo MFAUser-ID setup captive portalCreate Authentication objectSetup Authentication policy Thanks for watching.
D is for Darths.. like Darth Vader and Darth Maul.. 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.
Check this as well
Regarding the error 'No required ssl certificate was sent', you'll see this when your captive portal has a certificate profile configured. Either remove that or add a suitable certificate to be validated by the firewall using the Certificate profile configured. You do not need to change anything about the SSL/TLS profile.
Tried to do the same with MFA and no luck.
Anytime I login, it show "disconnected", but send the duo push. Tried with Local user db and LDAP. In the Client I see "Could not connect to portal", but in palo logs -
Authentication Success since I approve the DUO push.
Same goes for Portal in web, I enter user/pass - duo push sent, but on screen, before I get push, already have invalid user/pass.
Using 8.0.2 Palo and 4.0.2 Client.
PAN just released 8.0.3 last night, so I am just upgrading my lab fw to 8.0.3, whereafter I will check my setup again and report back.
I had the same issue on 8.0.2 as you do.
If it works on 8.0.3, I will release my howto on live :)
@borising sounds like a plan, but I got an answer from Palo that MFA is not supported on GB since it is designed to work with auth policy and only traffic traversing the FW.
I was wondering if this MFA profile can be used to protect my SSH or MS RDP access? If I am using putty to do SSH access, how would the MFA be prompted?
@jitan MFA can be used in conjunction with GP. GP client would present the user with a link which would be the MFA login page.
thanks for your advice. i have configured an authentication policy to trigger MFA when users access servers via RDP. I was able to get the prompt from GP to authenticate at the portal. However, the windows RDP connections gets killed off the moment GP prompts me to authenticate. (as per attached pic) I am using the default Windows RDP connection tool available in Windows 7.
My MFA policy is working fine for normal http access.
Any idea how to overcome this? Thanks.
I doubt that MFA can work properly with something except http/https, since to login you have to authenticate via webpage
it should be able to according to this guide
@mike_yand @jitan Yes, it should. Give me some time to test in the lab.
I've done this successfully with SSH (and having the GlobalProtect client installed). When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access. I click and authenticate, and can then connect to the SSH server.
i tried on ssh and it was a little different. the session got killed only after i had a successful authentication with the MFA server. (using DUO by the way)
@jvalentine possible to share your GP settings?
If I already have a working globalprotect and want to add DUO MFA, what steps do I need to perform?
So, is it possible to have DUO Auth with GP? (direct client authentication), so instead of using RADIUS for a better integration experience? (The current way, using password,auth type is cumbersome)
@MichelZ Not at the moment. Probably, in the future there would be a direct integration with MFA with GP. But for now, we'd have to use RADIUS as a proxy.
Mybe we can report this MFA GP as feature request to speed things up?