03-06-2018 05:01 PM
I've been looking up and down and can't seem to find a solution. I'm trying to authenticate to the GlobalProtect gateway or portal via Radius (which is tied back to AD) then to DUO for MFA.
The user should point to the portal/gateway, receive a username/password prompt, authenticate via Radius, then receive a text message from DUO (or call) and accept. This should connect the user to the VPN right after.
I've set it up with one Radius profile with DUO as the second factor. And have that tied to the Portal. I've tried moving it around to be on the gateway and portal, just the gateway, just the portal, etc. I've either been failing, or getting on the VPN, albeit a slow response time and multiple DUO prompts. I don't know what I'm doing wrong and all the MFA documentation appears to be within a policy and not just authenticating to be on the network. I guess we can get it where anyone can log on, but then would have to authenticate via a FW policy, but want to do it before they log onto the VPN.
Any help is appreciated. Thank you.
03-15-2018 09:41 AM
It ended up being a slight config miss, ontop of not restarting the DUO authentciation service on the proxy server. Once configured correctly and service restarted, it started working. I was trying to use the built in MFA profile with Palo Alto, but that appears to only work for web portal authentication and not authentication to the portal/gateway for globalprotect. Thanks guys for the help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!