08-13-2018 06:56 AM
Hello,
i had configured a radius server (freeradius) that work with google_authenticator and active directory. So far this works that way:
- login via Global Protect Client with username and AD Password+OTP (password and OTP in 1 promt)
I need to enter the OTP seperate and not together with the password. How can i achieve this??
The portal and the gateway had the same authentication profile (use the radius server for both, first google_authenticator (forward_pass to AD). Also i do not understand the "Componets that required Dynamic Passswords (Two Factor Authentication) option, if i enabled thsi for ext. Gateway or Portal the behavior did not change i had to enter password+otp in one promt.
Maybe i had to configure this on the radius server, but if i login via SSH using radius the client ask for the "verification Code" after the password is entered so i think it should be configured on the firewall.
any ideas?
08-16-2018 11:23 AM
I understood how you want to use the two authentications of the portal and gateway and I wrote of low chances because it might be possible that somehow the process for the portal could have a problem while the gateway still works properly. Ok, the propability is extremely low, but in theory it is possible.
I also read some things about the google_authenticator pam module and I came to the same conclusion as you: without some rewriting of the module it isn't possible that this authentication module will be access-challenge compatible.
LinOTP is a very good idea I think. This way you will be able to configure the login flow in the LinOTP application (and in addition this software gives you way more possibilities about other configurations, user self registration, logging, ...)
08-14-2018 12:57 AM
Hi vsys_remo,
yes for the login into the web gui i use the same auth profile.
08-14-2018 03:22 AM
Hmn ... actually this is a setting on the RADIUS server where you define how the RADIUS server expects the password/otp, because the firewall only sends what it get from the user. The RADIUS server then answers with an ACCESS-ACCEPT, ACCESS-REJECT or ACCESS-CHALLENGE where the last one tells the firewall to show an additional inputprompt to the user where the OTP has to be entered.
08-14-2018 05:42 AM
ok thx.. i will take a look at RADIUS site and hopefuly change the behavior...
what do you think about the following workaround...:
1. Authtentication to Portal via LDAP auth profile (AD User + PW)
if success -->
2. Authentication to Gateway via RADIUS auth profile (Username (same format as AD Username) + OTP)
i do not know if this is the good practise or insecure...
Is it possible to connect to the Gateway without connecting to the Portal first?
In this case that wouldnt be a workarround for us...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!