Global Protect MFA Vendor Support

Reply
L4 Transporter

Global Protect MFA Vendor Support

I am a bit confused with the MFA vendor supported by the firewall, because the Compatibility Matrix says that  MFA server profile is not supported for Global Protect?

https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.h...

 

 

I am aware that any MFA vendor can be configure over Radius Server, but presuming that we don’t use Radius ,  and we get one 4 supported vendors, e.g. RSA SecureID, can client–based and clientless GlobalProtect be configured with LDAP and 2FA?

L7 Applicator

Re: Global Protect MFA Vendor Support

L4 Transporter

Re: Global Protect MFA Vendor Support

@OtakarKlier Thank you for responding. 

The article is not quite clear, but it is in fact hinting (under Step1) that only Radius based authentictaion is possible:

 

"If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient."

 

It will be great if someone tried it and can share experience. I don't want to advise the customer to sign  up for one of 4 vendors, if then they will not work GlobalProtect. 

L7 Applicator

Re: Global Protect MFA Vendor Support

Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles). 

 

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message). 

 

A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).

 

Hope this helps!

L4 Transporter

Re: Global Protect MFA Vendor Support

@nimark Thank you, this calrifies it better

L4 Transporter

Re: Global Protect MFA Vendor Support

can someone please explain below in more detail

 

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message). 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!