- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-02-2012 07:05 AM
Can someone point me to a document for configuring two-factor authentication in GlobalProtect?
Thx
10-02-2012 04:18 PM
Hi Jeff,
You are right, it won't work.
You definitely need to have two ip-address for the gateways.
How about adding secondary ip on the interface and assigning second gateway profile to the secondary ip-address.
Example:-
Portal ip- eth 1/3 10.30.6.54/24
eth 1/3 10.30.6.54/24 ( GW1)
10.30.6.110/32 (secondary ip) (GW2)
One gateway :- uses LDAP , tunnel.1
Another gateway :- uses Radius, tunnel.2
Should work. But will require gateway license.
Thanks
Parth
10-02-2012 08:07 AM
Hello,
You can do multi-factor by performing client cert auth in addition to authentication to your LDAP/Radius/Kerberos server.
I am not sure if you have gone through the following threads to see if it is useful:-
https://live.paloaltonetworks.com/message/10462#10462
https://live.paloaltonetworks.com/message/18731#18731
https://live.paloaltonetworks.com/docs/DOC-1934
Regards
Parth
10-02-2012 08:27 AM
Hi Parth,
Thanks for your reply. However, I would like to use a token for the second pass. Can I do that with GP?
Thanks,Jeff
10-02-2012 08:37 AM
Jeff,
Yes, RADIUS (secure ID) can be used as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level
You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password as the password
Let me know if that helps.
Regards
Parth
10-02-2012 08:44 AM
Parth,
Let me just confirm what you said. So, I can leave my GP Portal Auth Profile as AD but, I should change my Ext Gateway Auth Profile to be the Radius Proxy Server for my token system. I'm not using SecureID, I'm using Duo Security. The only thing is that the user credentials in the Radius Proxy Server needs to be the same as they are in AD. Correct??
So, when do I get prompted for the token password? Will something pop up from the GP Client?
Thanks,
Jeff
10-02-2012 03:10 PM
Parth,
Is it possible to configure two GP Gateways on the same interface? I want to have one use AD for authentication for certain users and the other to use two-factor authentication for my advanced users.
Thx, Jeff
10-02-2012 03:17 PM
Jeff,
You should be seeing the a dialogue box pop up at the gateway authentication. But as mentioned before, the username (from the AD )set for the portal authentication and the gateway should be the same as during the gateway authentication , we get a prompt to enter the one time password .
Regards
Parth
10-02-2012 03:21 PM
Parth,
Yes, I got that part working just fine. I just was wondering if I can create two different External Gateway profiles that use the same interface. So, I would have the GP Portal, Ext GW-1 and Ext GW-2 all bound to the same External Interface. Can I do that?
Thx, Jeff
10-02-2012 03:34 PM
Never mind... I just tried it and it will not allow me to do what I want. Unless, you know of another way to do it with one interface?
10-02-2012 03:38 PM
Jeff,
I have not seen this implementation of having two gateway profiles associated to the a single gateway ip-address and am not 100% sure.
As per the tech note we can have One or more interfaces on one or more Palo Alto Networks firewalls that can be configured as gateway.
Regards
Parth
10-02-2012 04:18 PM
Hi Jeff,
You are right, it won't work.
You definitely need to have two ip-address for the gateways.
How about adding secondary ip on the interface and assigning second gateway profile to the secondary ip-address.
Example:-
Portal ip- eth 1/3 10.30.6.54/24
eth 1/3 10.30.6.54/24 ( GW1)
10.30.6.110/32 (secondary ip) (GW2)
One gateway :- uses LDAP , tunnel.1
Another gateway :- uses Radius, tunnel.2
Should work. But will require gateway license.
Thanks
Parth
10-02-2012 04:52 PM
Hi Parth,
I had the same idea in mind however, I can't put a secondary IP on the interface because I only have one Public IP address for that interface. But, I see that would potentially work.
Thx for all of your help!
10-26-2012 12:57 PM
Hi Ppatel,
I have for GP-portal ldap with attribute mail. In Radius RSA usernames are mail addres. But doen't work, when I captured radius packets comming from PA I saw the username mail addres is changed to domain.com\user.
So summary:
Portal:
username: user1@domain.com
pwd: AD password
GW:
username send to RSA: domain.com\user1
pwd: OTP.
But I get an error from RSA because he's waiting for user1@domain.com.
Can this issue be solved? RSA users are only known by mail addres.
Regards,
Kevin
08-05-2014 06:45 AM
Kevin
How about swapping the authentication profile for the Portal and the Gateway - RADIUS authentication on Portal and LDAP on the Gateway. RADIUS will push the user1@domain.com to the gateway and then prompt. Not the typical configuration but will still do two factor authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!