How to configure two-factor auth in GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to configure two-factor auth in GlobalProtect

L4 Transporter

Can someone point me to a document for configuring two-factor authentication in GlobalProtect?

Thx

1 accepted solution

Accepted Solutions

Hi Jeff,


You are right, it won't work.

You definitely need to have two ip-address for the gateways.


How about adding secondary ip on the interface and assigning second gateway profile to the secondary ip-address.

Example:-

Portal ip-    eth 1/3      10.30.6.54/24

                 eth 1/3     10.30.6.54/24 ( GW1)

                                10.30.6.110/32 (secondary ip)   (GW2)

One gateway :-  uses LDAP ,  tunnel.1

Another gateway :- uses Radius, tunnel.2

Should work. But will require gateway license.


Thanks

Parth

View solution in original post

13 REPLIES 13

L4 Transporter

Hello,


You can do multi-factor by performing client cert auth in addition to authentication to your LDAP/Radius/Kerberos server.

I am not sure if you have gone through the following threads to see if it is useful:-

https://live.paloaltonetworks.com/message/10462#10462

https://live.paloaltonetworks.com/message/18731#18731

https://live.paloaltonetworks.com/docs/DOC-1934


Regards

Parth

Hi Parth,

Thanks for your reply.  However, I would like to use a token for the second pass.  Can I do that with GP?

Thanks,Jeff

Jeff,

Yes, RADIUS (secure ID) can be used as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and  is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level


You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password  as the password

Let me know if that helps.

Regards

Parth

Parth,

Let me just confirm what you said. So, I can leave my GP Portal Auth Profile as AD but, I should change my Ext Gateway Auth Profile to be the Radius Proxy Server for my token system.  I'm not using SecureID, I'm using Duo Security.  The only thing is that the user credentials in the Radius Proxy Server needs to be the same as they are in AD.  Correct??

So, when do I get prompted for the token password?  Will something pop up from the GP Client?

Thanks,
Jeff

Parth,

Is it possible to configure two GP Gateways on the same interface?  I want to have one use AD for authentication for certain users and the other to use two-factor authentication for my advanced users.

Thx, Jeff

Jeff,

You should be seeing the a dialogue box pop up at the gateway authentication. But as mentioned before, the username (from the AD )set for the portal authentication and the gateway should be the same as during the gateway authentication , we get a prompt to enter the one time password .

Regards

Parth

Parth,

Yes, I got that part working just fine.  I just was wondering if I can create two different External Gateway profiles that use the same interface.  So, I would have the GP Portal, Ext GW-1 and Ext GW-2 all bound to the same External Interface.  Can I do that?

Thx, Jeff

Never mind... I just tried it and it will not allow me to do what I want.  Unless, you know of another way to do it with one interface?

Jeff,

I have not seen this implementation of having two gateway profiles associated to the a single gateway ip-address and am not 100% sure.

As per the tech note we can have One or more interfaces on one or more Palo Alto Networks firewalls that can be configured as gateway.

Regards

Parth

Hi Jeff,


You are right, it won't work.

You definitely need to have two ip-address for the gateways.


How about adding secondary ip on the interface and assigning second gateway profile to the secondary ip-address.

Example:-

Portal ip-    eth 1/3      10.30.6.54/24

                 eth 1/3     10.30.6.54/24 ( GW1)

                                10.30.6.110/32 (secondary ip)   (GW2)

One gateway :-  uses LDAP ,  tunnel.1

Another gateway :- uses Radius, tunnel.2

Should work. But will require gateway license.


Thanks

Parth

Hi Parth,

I had the same idea in mind however, I can't put a secondary IP on the interface because I only have one Public IP address for that interface.  But, I see that would potentially work.

Thx for all of your help!

Hi Ppatel,

I have for GP-portal ldap with attribute mail. In Radius RSA usernames are mail addres. But doen't work, when I captured radius packets comming from PA I saw the username mail addres is changed to domain.com\user.

So summary:

Portal:

username: user1@domain.com

pwd: AD password

GW:

username send to RSA: domain.com\user1

pwd: OTP.

But I get an error from RSA because he's waiting for user1@domain.com.

Can this issue be solved? RSA users are only known by mail addres.

Regards,

Kevin

Kevin

How about swapping the authentication profile for the Portal and the Gateway - RADIUS authentication on Portal and LDAP on the Gateway. RADIUS will push the user1@domain.com to the gateway and then prompt. Not the typical configuration but will still do two factor authentication.

  • 1 accepted solution
  • 7245 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!