08-09-2019 05:18 AM
I am a bit confused with the MFA vendor supported by the firewall, because the Compatibility Matrix says that MFA server profile is not supported for Global Protect?
I am aware that any MFA vendor can be configure over Radius Server, but presuming that we don’t use Radius , and we get one 4 supported vendors, e.g. RSA SecureID, can client–based and clientless GlobalProtect be configured with LDAP and 2FA?
08-13-2019 11:51 PM
Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles).
As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message).
A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).
Hope this helps!
08-09-2019 12:43 PM
Hello,
Yes this should be possible.
Regards,
08-12-2019 12:54 AM
@OtakarKlier Thank you for responding.
The article is not quite clear, but it is in fact hinting (under Step1) that only Radius based authentictaion is possible:
"If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient."
It will be great if someone tried it and can share experience. I don't want to advise the customer to sign up for one of 4 vendors, if then they will not work GlobalProtect.
08-13-2019 11:51 PM
Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles).
As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message).
A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).
Hope this helps!
08-14-2019 01:08 AM
@nimark Thank you, this calrifies it better
09-22-2019 08:30 AM
can someone please explain below in more detail
As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message).
08-21-2021 03:16 PM
This post has long been solved, but for future onlookers this table is awesome to see what use cases and protocols can be used for MFA support. https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.h...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
