Multi-factor Authentication

cancel
Showing results for 
Search instead for 
Did you mean: 

Multi-factor Authentication

L0 Member

Does the PAN Netconnect client or browser initiated VPN connection support multi-factor authentication? I know that you support AD and Radius but can it be done at the same time. I only see a Password field in the logins and cannot see how one can change/config this login so that it also has a token field for say an RSA SecurID solution.

Thanks,

Kim

15 REPLIES 15

L6 Presenter

You can do multi-factor by performing client cert auth in addition to authentication to your LDAP/Radius/Kerberos server. Here's a doc for client cert for ssl-vpn.

https://live.paloaltonetworks.com/docs/DOC-1934

Regards,

Renato    

Thanks! We prefer not installing certs on home machines. Is multi-factor authentication with windows password and RSA token on the feature roadmap for PaloAlto? If so, when?

Thanks but I know how to configure Radius and SecurID. What I do not see, is the ability to do both Radius and Windows authentication at the same time like most other VPN solutions offer? Is this on your roadmap to support?

... comment in first post

I only see a Password field in the logins and cannot see how one can change/config this login so that it also has a token field as well for say an RSA SecurID solution.

I wasn't aware that RSA allows windows authenticaiton? only tokencode.

We have RSA implamented via PA and only use the token code. I'm sure the RSA secure id system doesn't allow you to use windows authenticaiton. However third party clients can.

For example we also have a Firepass for remote access and the Firepass login screen allows you to place a dialog box at login to capture the windows password and a seperate box for the RSA secure token id. The windows password never reaches the RSA system as it's used for the internal loging process on the F5, it caches your password and is used when launcing TS apps from the Firepass webtop, this stops the need to login a second time to the TS apps. You can still log into the Firepass without putting a windows password and it still works.

I don't see the requirement for a second windows authenticaiton password featue on the PA - unless a future feature set that gives you the ability to launch TS applicaitons.

Rod

Sorry, my explanation was not clear. I want the PA client to offer a Windows login field and an RSA token field like most other VPN clients offer. The VPN client will authenticate Windows first (can be RSA first if you want) through AD and then if successful, authenticate to RSA with the tokencode. The firepass method of providing 2 login fields (RSA + Windows) is exactly what I want the Palo Alto client to do. This way my remote users are granted a VPN connection to do anything after they have been authenticated twice. For some important business aps, I will force another authentication but for things like intranet, the VPN connection authentication is sufficient.

Hi Kim,

As you point out, this type of multi-factor authentication is common with certain types of SSL VPN to provide a single sign-on experience for the user.  This only works when the SSL VPN is using a browser type of presentation (web rewrite) since the VPN is interacting at the application layer.

Global Protect and NetConnect provide pure layer 3 tunnels over IPSEC and SSL, so do not provide single sign-on functionality for applications running over the tunnel.  There is no web rewrite functionality so there is no way for the VPN client to interact on the user's behalf when the authentication page is presented by an application. 

It might be possible for the application to authenticate against the OS cached credentials, which would obviate the need for single sign-on solutions that use this type of trick.

Cheers,

Kelly

L1 Bithead

Hi Kim,

We use Quest Defender for our 2-factor authentication with PAN via RADIUS. It ties in with AD and even though you still only get the username and password entry fields in the NetConnect login screen you can configure Defender to use the AD username with either just the token or the AD password and the token combined, in the password entry box. In our use we require username and token + password.

Don't know if RSA SecurID allows for the same options though.

Regards,

Pierre

Hey Kelly,

Thanks for the clarification! This really helps highlight the limitations of SSO integration for all VPNs.

I would still like the PAN to allow the ability for a Windows password field and a RSA securID token field so that our remote VPN connection itself uses 2 factor authentication. This will provide better security in case a password is compromised or a token is lost/stolen. I realize that SSO is not a reality but at least I have better trust in those making the VPN connection.

Thanks,

Kim

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!