How to configure two-factor auth in GlobalProtect

Hi Parth,

Thanks for your reply.  However, I would like to use a token for the second pass.  Can I do that with GP?

Thanks,Jeff

Jeff,

Yes, RADIUS (secure ID) can be used as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and  is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level

You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password  as the password

Let me know if that helps.

Regards

Parth

Parth,

Let me just confirm what you said. So, I can leave my GP Portal Auth Profile as AD but, I should change my Ext Gateway Auth Profile to be the Radius Proxy Server for my token system.  I'm not using SecureID, I'm using Duo Security.  The only thing is that the user credentials in the Radius Proxy Server needs to be the same as they are in AD.  Correct??

So, when do I get prompted for the token password?  Will something pop up from the GP Client?

Thanks,
Jeff

Parth,

Is it possible to configure two GP Gateways on the same interface?  I want to have one use AD for authentication for certain users and the other to use two-factor authentication for my advanced users.

Thx, Jeff

Jeff,

You should be seeing the a dialogue box pop up at the gateway authentication. But as mentioned before, the username (from the AD )set for the portal authentication and the gateway should be the same as during the gateway authentication , we get a prompt to enter the one time password .

Regards

Parth

Parth,

Yes, I got that part working just fine.  I just was wondering if I can create two different External Gateway profiles that use the same interface.  So, I would have the GP Portal, Ext GW-1 and Ext GW-2 all bound to the same External Interface.  Can I do that?

Thx, Jeff

Never mind... I just tried it and it will not allow me to do what I want.  Unless, you know of another way to do it with one interface?

Jeff,

I have not seen this implementation of having two gateway profiles associated to the a single gateway ip-address and am not 100% sure.

As per the tech note we can have One or more interfaces on one or more Palo Alto Networks firewalls that can be configured as gateway.

Regards

Parth

Hi Parth,

I had the same idea in mind however, I can't put a secondary IP on the interface because I only have one Public IP address for that interface.  But, I see that would potentially work.

Thx for all of your help!

Hi Ppatel,

I have for GP-portal ldap with attribute mail. In Radius RSA usernames are mail addres. But doen't work, when I captured radius packets comming from PA I saw the username mail addres is changed to domain.com\user.

So summary:

Portal:

username: user1@domain.com

pwd: AD password

GW:

username send to RSA: domain.com\user1

pwd: OTP.

But I get an error from RSA because he's waiting for user1@domain.com.

Can this issue be solved? RSA users are only known by mail addres.

Regards,

Kevin

Kevin

How about swapping the authentication profile for the Portal and the Gateway - RADIUS authentication on Portal and LDAP on the Gateway. RADIUS will push the user1@domain.com to the gateway and then prompt. Not the typical configuration but will still do two factor authentication.