This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
GlobalProtect with MFA/Dual Authentication
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- GlobalProtect with MFA/Dual Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-06-2018 05:01 PM
I've been looking up and down and can't seem to find a solution. I'm trying to authenticate to the GlobalProtect gateway or portal via Radius (which is tied back to AD) then to DUO for MFA.
The user should point to the portal/gateway, receive a username/password prompt, authenticate via Radius, then receive a text message from DUO (or call) and accept. This should connect the user to the VPN right after.
I've set it up with one Radius profile with DUO as the second factor. And have that tied to the Portal. I've tried moving it around to be on the gateway and portal, just the gateway, just the portal, etc. I've either been failing, or getting on the VPN, albeit a slow response time and multiple DUO prompts. I don't know what I'm doing wrong and all the MFA documentation appears to be within a policy and not just authenticating to be on the network. I guess we can get it where anyone can log on, but then would have to authenticate via a FW policy, but want to do it before they log onto the VPN.
Any help is appreciated. Thank you.
5 REPLIES 5
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-15-2018 09:41 AM
It ended up being a slight config miss, ontop of not restarting the DUO authentciation service on the proxy server. Once configured correctly and service restarted, it started working. I was trying to use the built in MFA profile with Palo Alto, but that appears to only work for web portal authentication and not authentication to the portal/gateway for globalprotect. Thanks guys for the help!
Related Content
- Unable to assign an authentication profile to an administrator within Panorama in Panorama Discussions
- Brute Force GlobalProtect Portal via GP app in Custom Signatures
- Virtual Adapter was not setup correctly due to a delay (WIN10) in GlobalProtect Discussions
- Server Monitoring of User-ID agent set-up shows Authentication failed /Connection refused error in General Topics
- Issue using MFA in GlobalProtect ) in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks