This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GP VPN dual factor auth, and contractor access.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GP VPN dual factor auth, and contractor access.

cmateam
L3 Networker

‎07-02-2012 03:59 PM

I have two questions regarding the Global Protect Gateway / Portal (SAN the GP Licensing)

- I am wanting to setup two factor authentication for users to authenticate to Global Protect Gateway/Portal with a (common) client certificate installed on their machine that our IT department installs. I currently have just AD authentication integrated but want to prevent personal computers from logging into the portal and downloading the software and connecting into our network (even though we place VPN traffic into another subnet seperate from our Trust and Untrust network). It also provides additional security if a user account is compromised. My question is, do I specify this at the Gateway, and then export the client cert to be installed on each individual machine.  Is this a correct understanding?

-My second question is about allowing a contractor VPN into our network.  Since we want to provide a common cert to our staff, I don't want to provide the same cert to a contractor.  Must I create another Gateway and Portal to allow this guest to access what is needed inside our network with a completely different certificate.  When this contractor is done, I can just expire the cert?  Is this even possible under the GP san additional licensing? How would one accomplish this, can I create simply another portal, and certificate? 

0 Likes Likes
1 REPLY 1

BrutalDismount
L1 Bithead

‎07-03-2012 05:39 AM

For certificate authentication you need only create a certificate certificate profile for each use case and add it to the portal config as well as the gateway. If you use AD integrated CA, this is a breeze using auto enrollment.

We had this same conundrum for external parties. The solution was to create another issuing/policy CA to our 3 tier architecture. Our information security department also is in charge of the root CA so this was an easy decision. Then we created a vendor portal where external users can access and request a certificate using a customized certsrv page and template. When an external party is done, we just revoke the cert and update the crl/ocsp and they are no longer able to connect. A separate portal is not entirely necessary unless you want complete segmentation. I just use AD groups and portal config to push the appropriate user to the correct gateway, as well as enable "on demand" mode.

  • 3170 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks