Multi-factor Authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multi-factor Authentication

L0 Member

Does the PAN Netconnect client or browser initiated VPN connection support multi-factor authentication? I know that you support AD and Radius but can it be done at the same time. I only see a Password field in the logins and cannot see how one can change/config this login so that it also has a token field for say an RSA SecurID solution.

Thanks,

Kim

15 REPLIES 15

L6 Presenter

You can do multi-factor by performing client cert auth in addition to authentication to your LDAP/Radius/Kerberos server. Here's a doc for client cert for ssl-vpn.

https://live.paloaltonetworks.com/docs/DOC-1934

Regards,

Renato    

Thanks! We prefer not installing certs on home machines. Is multi-factor authentication with windows password and RSA token on the feature roadmap for PaloAlto? If so, when?

Thanks but I know how to configure Radius and SecurID. What I do not see, is the ability to do both Radius and Windows authentication at the same time like most other VPN solutions offer? Is this on your roadmap to support?

... comment in first post

I only see a Password field in the logins and cannot see how one can change/config this login so that it also has a token field as well for say an RSA SecurID solution.

I wasn't aware that RSA allows windows authenticaiton? only tokencode.

We have RSA implamented via PA and only use the token code. I'm sure the RSA secure id system doesn't allow you to use windows authenticaiton. However third party clients can.

For example we also have a Firepass for remote access and the Firepass login screen allows you to place a dialog box at login to capture the windows password and a seperate box for the RSA secure token id. The windows password never reaches the RSA system as it's used for the internal loging process on the F5, it caches your password and is used when launcing TS apps from the Firepass webtop, this stops the need to login a second time to the TS apps. You can still log into the Firepass without putting a windows password and it still works.

I don't see the requirement for a second windows authenticaiton password featue on the PA - unless a future feature set that gives you the ability to launch TS applicaitons.

Rod

Sorry, my explanation was not clear. I want the PA client to offer a Windows login field and an RSA token field like most other VPN clients offer. The VPN client will authenticate Windows first (can be RSA first if you want) through AD and then if successful, authenticate to RSA with the tokencode. The firepass method of providing 2 login fields (RSA + Windows) is exactly what I want the Palo Alto client to do. This way my remote users are granted a VPN connection to do anything after they have been authenticated twice. For some important business aps, I will force another authentication but for things like intranet, the VPN connection authentication is sufficient.

Hi Kim,

As you point out, this type of multi-factor authentication is common with certain types of SSL VPN to provide a single sign-on experience for the user.  This only works when the SSL VPN is using a browser type of presentation (web rewrite) since the VPN is interacting at the application layer.

Global Protect and NetConnect provide pure layer 3 tunnels over IPSEC and SSL, so do not provide single sign-on functionality for applications running over the tunnel.  There is no web rewrite functionality so there is no way for the VPN client to interact on the user's behalf when the authentication page is presented by an application. 

It might be possible for the application to authenticate against the OS cached credentials, which would obviate the need for single sign-on solutions that use this type of trick.

Cheers,

Kelly

L1 Bithead

Hi Kim,

We use Quest Defender for our 2-factor authentication with PAN via RADIUS. It ties in with AD and even though you still only get the username and password entry fields in the NetConnect login screen you can configure Defender to use the AD username with either just the token or the AD password and the token combined, in the password entry box. In our use we require username and token + password.

Don't know if RSA SecurID allows for the same options though.

Regards,

Pierre

Hey Kelly,

Thanks for the clarification! This really helps highlight the limitations of SSO integration for all VPNs.

I would still like the PAN to allow the ability for a Windows password field and a RSA securID token field so that our remote VPN connection itself uses 2 factor authentication. This will provide better security in case a password is compromised or a token is lost/stolen. I realize that SSO is not a reality but at least I have better trust in those making the VPN connection.

Thanks,

Kim

Hey Pierre,

Great suggestions!! SecurID does allow a PIN + tokencode which forms the passcode. Unfortunately, the PIN does not follow our windows password strength policy and is local to RSA only. This PIN is authenticated by the RSA server and not AD.

Cheers,

Kim

Hi Kim

RSA classess two factor authenticaiton as token passcode + a user enabled PIN. AD or any other LDAP directory account is never classified within the two factor authenticaiton process. If your thinking RSA + AD authenticaiton = 2 factor then this is wrong. it's RSA token code + PIN = 2 factor.

Like it's been mentioned in this thread there are other VPN / remote access solutions that allow you to incorporate a AD password field which works with that appliance features only.

Rod

Thanks Rod!

Ya I know that RSA cannot do the AD authentication as part of their passcode. I want to avoid the PIN if possible as it is yet another password for the user to remember. I know RSA best practices recommend the PIN but if we always force a tokencode and an AD password for every application, then we do not need the PIN and achieve 2 levels of authentication. The RSA windows agent does exactly this. You can enter a tokencode (no PIN) or a passcode (PIN) and if successful, it pops up another window for your domain password. This windows authentication is configurable in that it can be enabled or disabled. This is the multi-factor that we want and not the PIN and tokencode.

It is just a matter of implementation.

Kim

L4 Transporter

Have you looked at http://www.phonefactor.com  we are using it as a second factor authentication with our ssl vpn.  Uses a radius pass through authentication to AD. The Phonefactor configuration determines if the second factor is used.  We hope to start using it with Global Protect

Just another great solution we use for Global Protect and  2 factor authentication. The vpn users are authenticated against MS AD. It's called Duo Security, the users really like the push functionality and it is indeed very good value for the money. It's also easy to implement.

https://www.duosecurity.com/duo-push

  • 8022 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!