cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GP- AD auth and SMS through ext radius

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
GeorgiosFakis
L3 Networker
‎09-06-2019 04:54 AM
‎09-06-2019 04:54 AM

GP- AD auth and SMS through ext radius

Hi all ,

 

Has anyone accomplished to authenticate external users 1st with AD through LDAP profile and then SMS through radius to another server ? 

 

I guess 1st authentication will done in the portal and SMS auth profile can be added on the gateway  ?

0 Likes
Reply

Accepted Solutions
MickBall
L7 Applicator
‎09-07-2019 06:32 AM
‎09-07-2019 06:32 AM

No, this cannot be done, the auth sequence will finish when the first in the list succeeds.

 

the closest option without using a purpose built MFA is LDAP or Radius combined with certificate..

View solution in original post

0 Likes
Reply

All Replies
MickBall
L7 Applicator
‎09-06-2019 08:03 AM
‎09-06-2019 08:03 AM

That would work but the only issue would be if the portal was unavailable...   the GP client would used last cached gateway info and user would only require SMS auth to gateway.

 

 

0 Likes
Reply
GeorgiosFakis
L3 Networker
‎09-07-2019 05:45 AM
‎09-07-2019 05:45 AM

thank you , so if I want to have the 2nd factor authentication like mentioned how is going to be configured ?  2 auth profiles in one auth sequence attached to both portal and gateway ?

0 Likes
Reply
MickBall
L7 Applicator
‎09-07-2019 06:32 AM
‎09-07-2019 06:32 AM

No, this cannot be done, the auth sequence will finish when the first in the list succeeds.

 

the closest option without using a purpose built MFA is LDAP or Radius combined with certificate..

View solution in original post

0 Likes
Reply
GeorgiosFakis
L3 Networker
‎09-20-2019 08:50 AM
‎09-20-2019 08:50 AM

Can I have LDAP profile to authenticate users against AD for the portal and then use authentication profile with RADIUS for SMS token delivery for the gateway ?

0 Likes
Reply
MickBall
L7 Applicator
‎09-20-2019 10:28 AM
‎09-20-2019 10:28 AM

Yes you can do that.

 

but just be aware...   

 

if the portal ever becomes unavailable the local client will use the last known portal config and attempt to connect to the gateway directly, so only passcode will be required...     this may also be confusing for users as they will not know if to use password or passcode...    

 

why do you feel you need both ?

 

does your sms passcode also require a username and PIN?

0 Likes
Reply
GeorgiosFakis
L3 Networker
‎09-20-2019 10:32 AM
‎09-20-2019 10:32 AM

I have multiple gateways and that means that Firewalls that have the portals they don't have the gateways and the firewalls with the gateways they don't have any portals .

 

I tried to attach LDAP-AD profile that works in the portal and the profile for the SMS provider to the gateways  which I have configured the firewalls to send vs source-ip only. But doesn't work because it seems that app sends the ad password as passcode since I get SMS that my account is locked but if I do the opposite and I use the SMS auth in the Portal and the LDAP-AP profile in the gateway then I get SMS , I put that since I am getting prompted and then auth fail with no reason but I suspect that this SMS passcode is being used in the gateway .

 

 

0 Likes
Reply
MickBall
L7 Applicator
‎09-20-2019 11:49 AM
‎09-20-2019 11:49 AM

What do you have in network/portal/config/authentication/save user credentials.

 

 

0 Likes
Reply
GeorgiosFakis
L3 Networker
‎09-21-2019 10:09 AM
‎09-21-2019 10:09 AM

I had save user name only and I tried also with no.

0 Likes
Reply
MP18
Cyber Elite
Cyber Elite
‎09-22-2019 07:44 AM
‎09-22-2019 07:44 AM

So in this config Portal and Gateway auth profile should match?

MP
0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks