If you don't remember, we used to blog about different discussions that would come up on the LIVEcommunity discussion areas that we felt needed to be talked about in a weekly blog, aka Discussion of the Week (DOTW).
This week's topic is going to be talking about Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) for GlobalProtect (GP) and PAN-OS.
To start with, the main difference between MFA and 2FA is simple. Two-factor authentication always utilizes two of these factors to verify the user's identity. Multi-factor authentication could involve two of the factors or it could involve all three. “Multi-factor” just means any number of factors greater than one.
I am grouping these together in order to help clear up confusion as well as to help provide information and links on the configuration articles that we have on TechDocs.
There were actually 2 different threads that were talking about these subjects:
Overview of Multi Factor Authentication with Palo Alto Networks devices
Configuring MFA and 2FA can be tricky at times, as there are many moving components to get this to work properly.
One thing to look at is the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.
The other is to ensure that the shared secret is set properly.
There are other things that can complicate things inside of the configurations, but it is always recommended that you start with the Admin Guides, and then if needed, reach out to others here on the LIVEcommunity Discussion Areas (General Topicsor GlobalProtect Discussions) for help.
For all of the information on configuring Authentication, please see these Admin Guides from the TechDocs area: Note: Please remember that there are different guides depending on what version you select.. so check the versions on the left hand side of the window. You even have options to download the PDF file!
For setting up GP 2FA, please see: Set Up Two-Factor Authentication, There are sections there for using Certificate and Auth profiles, One Time Passwords (OTP), Smart Cards, and even Software Tokens.