12-26-2017 02:26 PM
Is it possible to configure Global Protect VPN connection such that....
...or maybe this way....
The goal I am trying to accomplish is really one basic thing: if the user logs into their laptop I want that to be FIRST FACTOR and for them to not be asked for it again (SSO). But I want to secure full VPN tunnel w/ a second factor, and I want "push" or "enter code" from Okta mobile app to be that. Problem is, Okta has not authenticated the remote user and SSO only works if the Okta SSO/IWA server is accessible to the host (and that server is in back office, and it's not secure to expose it to WAN)....so I am kind of in a pickle here (quite an annoying one if you ask me). Once VPN is up - SSO works great! Go figure.
I hope I am making sense!
07-06-2018 07:49 AM
Yes and no. We got this working w/ Duo cause their RADIUS agent can be customized such that a single method of 2FA is required. Therefore the cache reds in GP client work great, and then the user receives a transparant push to their phone.
In talking w/ local Palo field office here, they are suggesting a more interesting way of approaching this. We can run always on VPN for laptops so that as soon as they go online their web traffic is routed through the VPN and it's seen as VPN->WAN (zone). We can allow tokenized logins this way (no user password required). Then, when they attempt to connect to a resource such as VPN->LAN the SAML auth will kick in using their MFA feature on the firewall. The MFA feature can be app based, protocol based or zone based I think. We are barely beginning to explore this.
07-06-2018 07:50 AM
Note: one drawback to this design is that you cannot connect to VPN without your mobile device being online. This becomes an issue on airplanes. YMMV
10-17-2018 08:18 AM
Hi
Did pre-login and SAML worked together in one scenario?
11-13-2019 10:20 AM
How did you get Okta working with VPN? I've had 7 different Palo Alto tech's try to help me set it up but I receive an authentication error after it signs in through the Okta splash page. No issues for the web ui portal to download Global Protect only an issue when we try to use Global Protect Windows App.
02-09-2021 08:18 PM
Hi, any solution to the Global Protect issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
