Dual Factor Authenticatin for Global Protect - possible?

Reply
L4 Transporter

Dual Factor Authenticatin for Global Protect - possible?

Folks.

 

Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication?

 

Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term.

 

Is this possible? Any pointers to guides anywhere?

 

Thanks

Highlighted
L7 Applicator

Re: Dual Factor Authenticatin for Global Protect - possible?

have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Dual Factor Authenticatin for Global Protect - possible?

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

 

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

 

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.

L3 Networker

Re: Dual Factor Authenticatin for Global Protect - possible?

Is any doing any OTP dual factor setups. It would be cool to somehow use Google Authenticator as a second factor.

-Brad
L4 Transporter

Re: Dual Factor Authenticatin for Global Protect - possible?


@reaper wrote:

have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows


 

Yes, I have - but that's not really dual factor authentication in the context I'm using.

 

Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in.

 

With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token.

L4 Transporter

Re: Dual Factor Authenticatin for Global Protect - possible?


@bgmncwj wrote:

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

 

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

 

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.


 

That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!