Is it possible to configure Global Protect VPN connection such that....
...or maybe this way....
The goal I am trying to accomplish is really one basic thing: if the user logs into their laptop I want that to be FIRST FACTOR and for them to not be asked for it again (SSO). But I want to secure full VPN tunnel w/ a second factor, and I want "push" or "enter code" from Okta mobile app to be that. Problem is, Okta has not authenticated the remote user and SSO only works if the Okta SSO/IWA server is accessible to the host (and that server is in back office, and it's not secure to expose it to WAN)....so I am kind of in a pickle here (quite an annoying one if you ask me). Once VPN is up - SSO works great! Go figure.
I hope I am making sense!
Yes and no. We got this working w/ Duo cause their RADIUS agent can be customized such that a single method of 2FA is required. Therefore the cache reds in GP client work great, and then the user receives a transparant push to their phone.
In talking w/ local Palo field office here, they are suggesting a more interesting way of approaching this. We can run always on VPN for laptops so that as soon as they go online their web traffic is routed through the VPN and it's seen as VPN->WAN (zone). We can allow tokenized logins this way (no user password required). Then, when they attempt to connect to a resource such as VPN->LAN the SAML auth will kick in using their MFA feature on the firewall. The MFA feature can be app based, protocol based or zone based I think. We are barely beginning to explore this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!