Global Protect MFA Vendor Support

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect MFA Vendor Support

L4 Transporter

I am a bit confused with the MFA vendor supported by the firewall, because the Compatibility Matrix says that  MFA server profile is not supported for Global Protect?

https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.h...

 

 

I am aware that any MFA vendor can be configure over Radius Server, but presuming that we don’t use Radius ,  and we get one 4 supported vendors, e.g. RSA SecureID, can client–based and clientless GlobalProtect be configured with LDAP and 2FA?

1 accepted solution

Accepted Solutions

Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles). 

 

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message). 

 

A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).

 

Hope this helps!

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@OtakarKlier Thank you for responding. 

The article is not quite clear, but it is in fact hinting (under Step1) that only Radius based authentictaion is possible:

 

"If you are using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, a RADIUS server profile is required. If you are using GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile is sufficient."

 

It will be great if someone tried it and can share experience. I don't want to advise the customer to sign  up for one of 4 vendors, if then they will not work GlobalProtect. 

Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles). 

 

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message). 

 

A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).

 

Hope this helps!

@nimark Thank you, this calrifies it better

can someone please explain below in more detail

 

As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message). 

MP

Help the community: Like helpful comments and mark solutions.

This post has long been solved, but for future onlookers this table is awesome to see what use cases and protocols can be used for MFA support.  https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.h...

 

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 8492 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!