Multi-factor Authentication

Thanks! We prefer not installing certs on home machines. Is multi-factor authentication with windows password and RSA token on the feature roadmap for PaloAlto? If so, when?

RSA SecurID Ready Implementation Guide

https://live.paloaltonetworks.com/click.jspa?searchID=281042&objectType=800&objectID=1473

Thanks but I know how to configure Radius and SecurID. What I do not see, is the ability to do both Radius and Windows authentication at the same time like most other VPN solutions offer? Is this on your roadmap to support?

... comment in first post

I only see a Password field in the logins and cannot see how one can change/config this login so that it also has a token field as well for say an RSA SecurID solution.

I wasn't aware that RSA allows windows authenticaiton? only tokencode.

We have RSA implamented via PA and only use the token code. I'm sure the RSA secure id system doesn't allow you to use windows authenticaiton. However third party clients can.

For example we also have a Firepass for remote access and the Firepass login screen allows you to place a dialog box at login to capture the windows password and a seperate box for the RSA secure token id. The windows password never reaches the RSA system as it's used for the internal loging process on the F5, it caches your password and is used when launcing TS apps from the Firepass webtop, this stops the need to login a second time to the TS apps. You can still log into the Firepass without putting a windows password and it still works.

I don't see the requirement for a second windows authenticaiton password featue on the PA - unless a future feature set that gives you the ability to launch TS applicaitons.

Rod

Sorry, my explanation was not clear. I want the PA client to offer a Windows login field and an RSA token field like most other VPN clients offer. The VPN client will authenticate Windows first (can be RSA first if you want) through AD and then if successful, authenticate to RSA with the tokencode. The firepass method of providing 2 login fields (RSA + Windows) is exactly what I want the Palo Alto client to do. This way my remote users are granted a VPN connection to do anything after they have been authenticated twice. For some important business aps, I will force another authentication but for things like intranet, the VPN connection authentication is sufficient.

Hi Kim,

As you point out, this type of multi-factor authentication is common with certain types of SSL VPN to provide a single sign-on experience for the user.  This only works when the SSL VPN is using a browser type of presentation (web rewrite) since the VPN is interacting at the application layer.

Global Protect and NetConnect provide pure layer 3 tunnels over IPSEC and SSL, so do not provide single sign-on functionality for applications running over the tunnel.  There is no web rewrite functionality so there is no way for the VPN client to interact on the user's behalf when the authentication page is presented by an application. 

It might be possible for the application to authenticate against the OS cached credentials, which would obviate the need for single sign-on solutions that use this type of trick.

Cheers,

Kelly

Hey Kelly,

Thanks for the clarification! This really helps highlight the limitations of SSO integration for all VPNs.

I would still like the PAN to allow the ability for a Windows password field and a RSA securID token field so that our remote VPN connection itself uses 2 factor authentication. This will provide better security in case a password is compromised or a token is lost/stolen. I realize that SSO is not a reality but at least I have better trust in those making the VPN connection.

Thanks,

Kim

Hey Pierre,

Great suggestions!! SecurID does allow a PIN + tokencode which forms the passcode. Unfortunately, the PIN does not follow our windows password strength policy and is local to RSA only. This PIN is authenticated by the RSA server and not AD.

Cheers,

Kim

Hi Kim

RSA classess two factor authenticaiton as token passcode + a user enabled PIN. AD or any other LDAP directory account is never classified within the two factor authenticaiton process. If your thinking RSA + AD authenticaiton = 2 factor then this is wrong. it's RSA token code + PIN = 2 factor.

Like it's been mentioned in this thread there are other VPN / remote access solutions that allow you to incorporate a AD password field which works with that appliance features only.

Rod

Thanks Rod!

Ya I know that RSA cannot do the AD authentication as part of their passcode. I want to avoid the PIN if possible as it is yet another password for the user to remember. I know RSA best practices recommend the PIN but if we always force a tokencode and an AD password for every application, then we do not need the PIN and achieve 2 levels of authentication. The RSA windows agent does exactly this. You can enter a tokencode (no PIN) or a passcode (PIN) and if successful, it pops up another window for your domain password. This windows authentication is configurable in that it can be enabled or disabled. This is the multi-factor that we want and not the PIN and tokencode.

It is just a matter of implementation.

Kim

Just another great solution we use for Global Protect and  2 factor authentication. The vpn users are authenticated against MS AD. It's called Duo Security, the users really like the push functionality and it is indeed very good value for the money. It's also easy to implement.

https://www.duosecurity.com/duo-push