Native VPN client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Native VPN client

L4 Transporter

The native client on my windows machine does not seem to be authenticating against my radius/otp/ldap server and my globalprotect client is getting through the portal but failing on the gateway. Any ideas why or how to track it down?

29 REPLIES 29

So do you set the auth profile for both the gateway and the portal to the radius/OTP/LDAP server

 

Yes.  you don't really need it on the gateway for GP but you will need it for native.

 

and then set authentication overide to "Accept cookie for authentication override" on the gateway?

 

Yes. and set a time limit for how long you will accept the cookie. 10 mins is fine...

 

Do you have to set "Generate cookie for authentication override on the portal"

 

Yes, but do not accept cookie for auth on portal. and put a tick in "portal" under the components section.

 

this will force OTP everytime a user connects.

 

Gateway Settings

 

gateway-cookie.png

@Mick_Ball

 

Do you know if it is possible to do the 2 auth without using the cookies?

@Mick_Ball

I swear there was a picture with this but I don't see it anymore

Yes sorry the picture had some restricted info and couldnt edit it. So removed it. I will re post if needed but it was only portal info.

 

im not sure what you mean by 2 auth... you can use OTP without cookie auth but user will have to wait for passcode to change for gateway auth.

 

Thats why the overide is offered on the palo.

@Mick_Ball

what we mean by 2 auth at my institution is putting in more that one type of authentication, like ldap and radius not just ldap.

So.... not sure why i keep saying so...

 

so... is this for a user to auth via OTP and then ldap, or some users to auth via OTP and others via ldap.

@Mick_Ball

well....... we want 1 user to do both LOL. once by radius, once by OTP or something like that, like you know ( I am going valley girl).... two authentications per person.   soooooo..... sorry I couldnt help myself

I have never used dual auth this way, i only mix with cert auth/ldap or OTP.

however.. 

 

 Components that require dynamic passwords without cookie generation may be an option here...

@Mick_Ball

So................ I might not even need the cookie things

I was hoping that one of our super user members (you know who you are) would jump in at some stage and put us to shame with thier expertise...

 

i dont think i can advise any further as you seem to be heading somewhere I have never ventured.

im at a loss with same server doing ldap and OTP and also requesting OTP and password from the same user.

 

lets see if anyone else can advise further..

 

Interesting discussion you @jdprovine and @Mick_Ball have here 😉

 

Just to be clear, I don't expect to be the "super user" with the ultimate solution ... but I already had quite a few situation with global protect and a lot of headache till some situations were solved (one still isn't, there I hope for GP 5.0)

 

So ... 🙂

 

This one actually I don't really understand:


@jdprovine wrote:

@Mick_Ball

well....... we want 1 user to do both LOL. once by radius, once by OTP or something like that, like you know ( I am going valley girl).... two authentications per person.   soooooo..... sorry I couldnt help myself


What do you @jdprovine mean with "we want 1 user do both"? As I understood your RADIUS is responsible for OTP, but now how is LDAP coming into the game? Or what is meant to do both?

 

May I  add what we use: We use RADIUS only. PaloAlto sends the credentials (username and password) to the RADIUS which checks these values via LDAP in the active directory. If the credentials are valid it sends a accept-challenge back to the firewall which then tells the global protect agent to show the prompt for the OTP. This is for the portal and on the gateway we use cookies but configured the same RADIUS profile there too to make sure OTP is forced in every situation (if for some reason the global protect agent does not connect to the portal first). 

So... ha ha...

 

which one isn’t resolved and what is V5.x going to do for us....

@Remo

 

This is access to our PCI network so we need extra added security, so when one user logs in he must enter a token(OTP) as well as get an accept from the radius server for interace, so 2 factor authentication or two different methods or acceptance to before they can be allowed.  Just like we use to access our server 1st factor is ldap followed by a token(OTP)

L7 Applicator

@jdprovine

In this case you need a ldap and a radius authentication profile to have two factors. As probably already mentionned with the GP agent it is possible if you configure ldap on the portal and radius on the gateway. For the native clients (good to know by the way that this works), global protect does not offer a way to chain authentication profiles. There you need something that I mentionned wher the radius server checks ldap credentials and OTP, because they only connect to the gateway and not to the portal to pull their configuration.

(I hope I understood your question correctly)

  • 7741 Views
  • 29 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!