07-23-2018 07:36 AM
The native client on my windows machine does not seem to be authenticating against my radius/otp/ldap server and my globalprotect client is getting through the portal but failing on the gateway. Any ideas why or how to track it down?
07-23-2018 10:03 AM - edited 07-23-2018 10:35 AM
So do you set the auth profile for both the gateway and the portal to the radius/OTP/LDAP server
Yes. you don't really need it on the gateway for GP but you will need it for native.
and then set authentication overide to "Accept cookie for authentication override" on the gateway?
Yes. and set a time limit for how long you will accept the cookie. 10 mins is fine...
Do you have to set "Generate cookie for authentication override on the portal"
Yes, but do not accept cookie for auth on portal. and put a tick in "portal" under the components section.
this will force OTP everytime a user connects.
07-23-2018 11:15 AM
I swear there was a picture with this but I don't see it anymore
07-23-2018 11:27 AM
Yes sorry the picture had some restricted info and couldnt edit it. So removed it. I will re post if needed but it was only portal info.
im not sure what you mean by 2 auth... you can use OTP without cookie auth but user will have to wait for passcode to change for gateway auth.
Thats why the overide is offered on the palo.
07-23-2018 11:34 AM
what we mean by 2 auth at my institution is putting in more that one type of authentication, like ldap and radius not just ldap.
07-23-2018 11:54 AM
So.... not sure why i keep saying so...
so... is this for a user to auth via OTP and then ldap, or some users to auth via OTP and others via ldap.
07-23-2018 12:02 PM
well....... we want 1 user to do both LOL. once by radius, once by OTP or something like that, like you know ( I am going valley girl).... two authentications per person. soooooo..... sorry I couldnt help myself
07-23-2018 12:33 PM
I have never used dual auth this way, i only mix with cert auth/ldap or OTP.
however..
Components that require dynamic passwords without cookie generation may be an option here...
07-23-2018 12:42 PM
So................ I might not even need the cookie things
07-24-2018 11:47 AM
I was hoping that one of our super user members (you know who you are) would jump in at some stage and put us to shame with thier expertise...
i dont think i can advise any further as you seem to be heading somewhere I have never ventured.
im at a loss with same server doing ldap and OTP and also requesting OTP and password from the same user.
lets see if anyone else can advise further..
07-24-2018 02:36 PM - edited 07-24-2018 02:37 PM
Interesting discussion you @jdprovine and @Mick_Ball have here 😉
Just to be clear, I don't expect to be the "super user" with the ultimate solution ... but I already had quite a few situation with global protect and a lot of headache till some situations were solved (one still isn't, there I hope for GP 5.0)
So ... 🙂
This one actually I don't really understand:
@jdprovine wrote:well....... we want 1 user to do both LOL. once by radius, once by OTP or something like that, like you know ( I am going valley girl).... two authentications per person. soooooo..... sorry I couldnt help myself
What do you @jdprovine mean with "we want 1 user do both"? As I understood your RADIUS is responsible for OTP, but now how is LDAP coming into the game? Or what is meant to do both?
May I add what we use: We use RADIUS only. PaloAlto sends the credentials (username and password) to the RADIUS which checks these values via LDAP in the active directory. If the credentials are valid it sends a accept-challenge back to the firewall which then tells the global protect agent to show the prompt for the OTP. This is for the portal and on the gateway we use cookies but configured the same RADIUS profile there too to make sure OTP is forced in every situation (if for some reason the global protect agent does not connect to the portal first).
07-24-2018 09:13 PM - edited 07-24-2018 09:35 PM
So... ha ha...
which one isn’t resolved and what is V5.x going to do for us....
07-25-2018 05:57 AM
This is access to our PCI network so we need extra added security, so when one user logs in he must enter a token(OTP) as well as get an accept from the radius server for interace, so 2 factor authentication or two different methods or acceptance to before they can be allowed. Just like we use to access our server 1st factor is ldap followed by a token(OTP)
07-25-2018 03:40 PM
In this case you need a ldap and a radius authentication profile to have two factors. As probably already mentionned with the GP agent it is possible if you configure ldap on the portal and radius on the gateway. For the native clients (good to know by the way that this works), global protect does not offer a way to chain authentication profiles. There you need something that I mentionned wher the radius server checks ldap credentials and OTP, because they only connect to the gateway and not to the portal to pull their configuration.
(I hope I understood your question correctly)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
