Dual Factor Authenticatin for Global Protect - possible?
cancel
Showing results for 
Search instead for 
Did you mean: 

Dual Factor Authenticatin for Global Protect - possible?

L4 Transporter

Folks.

 

Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication?

 

Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term.

 

Is this possible? Any pointers to guides anywhere?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

 

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

 

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.

View solution in original post

5 REPLIES 5

L7 Applicator

have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

L2 Linker

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

 

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

 

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.

View solution in original post

Is any doing any OTP dual factor setups. It would be cool to somehow use Google Authenticator as a second factor.

-Brad


@reaper wrote:

have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows


 

Yes, I have - but that's not really dual factor authentication in the context I'm using.

 

Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in.

 

With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token.


@bgmncwj wrote:

We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.

 

We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.

 

On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.


 

That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!