09-12-2016 09:09 PM - edited 09-12-2016 09:10 PM
Folks.
Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication?
Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term.
Is this possible? Any pointers to guides anywhere?
Thanks
09-13-2016 06:11 AM - edited 09-13-2016 06:14 AM
We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.
We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.
On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.
09-13-2016 12:40 AM
have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows
09-13-2016 06:11 AM - edited 09-13-2016 06:14 AM
We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.
We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.
On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.
09-13-2016 10:37 AM
Is any doing any OTP dual factor setups. It would be cool to somehow use Google Authenticator as a second factor.
09-13-2016 05:22 PM
@reaper wrote:have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows
Yes, I have - but that's not really dual factor authentication in the context I'm using.
Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in.
With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token.
09-13-2016 05:25 PM
@bgmncwj wrote:We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.
We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.
On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.
That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
