Global Protect do not ask for OTP

Michael.Thyme · ‎08-13-2018

Hello,

i had configured a radius server (freeradius) that work with google_authenticator and active directory. So far this works that way:

- login via Global Protect Client with username and AD Password+OTP (password and OTP in 1 promt)

I need to enter the OTP seperate and not together with the password. How can i achieve this??

The portal and the gateway had the same authentication profile (use the radius server for both, first google_authenticator (forward_pass to AD). Also i do not understand the "Componets that required Dynamic Passswords (Two Factor Authentication) option, if i enabled thsi for ext. Gateway or Portal the behavior did not change i had to enter password+otp in one promt.

Maybe i had to configure this on the radius server, but if i login via SSH using radius the client ask for the "verification Code" after the password is entered so i think it should be configured on the firewall.

any ideas?

vsys_remo · ‎08-16-2018

@Michael.Thyme

I understood how you want to use the two authentications of the portal and gateway and I wrote of low chances because it might be possible that somehow the process for the portal could have a problem while the gateway still works properly. Ok, the propability is extremely low, but in theory it is possible.

I also read some things about the google_authenticator pam module and I came to the same conclusion as you: without some rewriting of the module it isn't possible that this authentication module will be access-challenge compatible.

LinOTP is a very good idea I think. This way you will be able to configure the login flow in the LinOTP application (and in addition this software gives you way more possibilities about other configurations, user self registration, logging, ...)

View solution in original post

vsys_remo · ‎08-13-2018

Hi @Michael.Thyme

Do you use the same Authentication Profile for GP and for admin access?

Michael.Thyme · ‎08-14-2018

Hi vsys_remo,

yes for the login into the web gui i use the same auth profile.

vsys_remo · ‎08-14-2018

Hmn ... actually this is a setting on the RADIUS server where you define how the RADIUS server expects the password/otp, because the firewall only sends what it get from the user. The RADIUS server then answers with an ACCESS-ACCEPT, ACCESS-REJECT or ACCESS-CHALLENGE where the last one tells the firewall to show an additional inputprompt to the user where the OTP has to be entered.

Michael.Thyme · ‎08-14-2018

ok thx.. i will take a look at RADIUS site and hopefuly change the behavior...

what do you think about the following workaround...:

1. Authtentication to Portal via LDAP auth profile (AD User + PW)

if success -->

2. Authentication to Gateway via RADIUS auth profile (Username (same format as AD Username) + OTP)

i do not know if this is the good practise or insecure...

Is it possible to connect to the Gateway without connecting to the Portal first?

In this case that wouldnt be a workarround for us...

Global Protect do not ask for OTP

Global Protect do not ask for OTP

Show your appreciation!