2FA on both portal and gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

2FA on both portal and gateway

L4 Transporter

If you have two factor auth on the portal and the gateway without using the cookie or passing the auth from the portal to the gateway will it ask you to authenticate twice?

15 REPLIES 15

Cyber Elite
Cyber Elite

Yes

@BPry

Makes sense that it would, but I can pass the authentication if I choose the cookie option can't I? I be that is what the native clients are not getting the routing information from the gateway cause they are only asked to authenticate once

Hi @jdprovine, hope you are well...

 

I dont think, in fact im pretty sure that native clients do not use the portal, they connect directly to the gateway.

 

so either i have got that wrong or you are having some other issues with routing info...

 

 

@Mick_Ball

hope you are doing well too....

Well I had never thought of that, interesting. Do you know the technical reason why? Seems like if it went to the gateway it should get the route information

@jdprovine,

Not really a technical answer, but IPSec deployments are never implemented the same across devices. The firewall will only send route infromation in a certain manner, whether the end-device has been programmed to accept the route as given is a different story. Most vendors won't take the time to implement every single possible method and don't generally keep up with the changes made throughout all the different implementations. This is why VPN clients are offered; they can ensure that they are both passing/expecting the proper information.

 

I'm fairly positive that @Mick_Ball is correct in the fact that native clients do not utilize the portal in the connection process. 

Spot on @BPry.

@BPry @Mick_Ball

So I have both radisu and OTP enabled on the gateway and the portal do I need it on both

ooer... this could get confusing...

 

for native clients, just the gateway but if you have GP clients then you will also need it on the portal.

 

having it on both without cookie....    well it's an OTP so it cannot be used again for the gateway, thats why the authentication overide (cookie stuff)is there

 

 

 

So about these cookies ..... 

Cookie Sir.jpg

In all seriousness in your situation @jdprovine I would really recommend that you keep OTP on both and then just enable authentication override so that users don't have to enter the OTP twice. 

 

 

 

@BPry

coooookkkkiiiieee. Love the cookie monster picture. So how will authentication override affect those user using the native client?

@BPry

So application override is set in the portal and then the information is passed onto the gateway? Course I am only going to do based on the affect it has on the native client

@jdprovine,

So the authentication override doesn't come into play with the Native clients, because they are only connecting to the gateway. Where the authentication override will come into play is when the GP agents login they will then only need to enter the OTP once when you get cookie Auth properly setup.

 

@BPry

So do you select  generate cookie for the overide on the portal and accept cookie on the gateway? It make even less sense that the native client doesn't get the routes from the gateway since is connecte directly to it

@jdprovine,

So the primary issue with expecting Native Clients to handle route information properly... When most clients (95%+) are unable to understand received route information they will generally fall-back to their default of 0.0.0.0/0, sending everything through the established tunnel. Just to verify, are you seeing the native clients route everything through the tunnel or are you getting  nothing through the tunnel?

This has always been a downside of using native clients, and why most vendors have moved away from them. You simply can't anticipate how others will implement things so stuff will always break as one side or the other makes changes. Now that most vendors are using agents it's even less of a concern for most, as most people will never even notice if it's broken. This essentially boils down to the fact that IPSec implementations really don't follow a set standard, they never have. 

  • 3764 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!