Radius & OTP Globalprotect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Radius & OTP Globalprotect VPN

L4 Transporter

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello,

Are you stating you wish to do 3 authentication methods?

 

RADIUS -> OTP ->LDAP

 

I would say that the OTP is your most secure and the LDAP and/or radius would be backup.

 

Regards,

@OtakarKlier

LOL, I guess that would be 3 factor indeed, as requested by my coworker and based on how it was set up on an ASA 5510 thant I am trying to replace. So do you think it is possible?

@OtakarKlier

Actually I think that the Radius is serving out the OTP, I will have to check with the guy who is working on that portion of the VPN access

So OTP on the PAN is setup as radius. If its just OTP then LDAP that is 100% doable. In the past I just made the Portal Authentication the OTP and Gateway authentication LDAP. I havent tried the Multi-Factor Auth feature or the Authentication sequence.

Correct the server that we created to do radius also has OTP on it and I have created a server profile for it. So what I need to know is do you set up radius for the portal and LDAP for the gateway or what combination does it have to be, which is what it sounds like you did? So does that mean they have to enter a username and password twice?

Hello,

So when i was doing it, our OTP solution was an actual hand held time based token that a user had to enter the pin+code. So in this scenario, yes the user had to enter their username twice, once for each popup box.

 

Since then there have been some improvements:

 

https://live.paloaltonetworks.com/t5/Integration-Articles/GlobalProtect-One-Time-Password-based-Two-...

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

If your OTP is one of hte ones listed in the MultiFactor Authentication, the user experience should be different.

 

Hope this helps.

@OtakarKlier

Yes we do OTP on other things the same way with the a code generator.  I suspect our users will be prompted to long in twice as well and at this point we are limited to what 7.1.16 offers us since I have not had the time to upgrade to version 8 of the OS yet

I would do...

- LDAP only on the Portal

- RADIUS(OTP) on the Gateway

 

...Enabling 2-factor on the Portal may cause your users to have to enter in a OTP even when on your internal network.  Is your OTP solution capable of authenticating LDAP as well? (ex. LDAP+OTP over the RADIUS protocol).  

@jambulo

No my radius server for the OTP is not setup for LDAP and I don't believe it is capable of doing LDAP I am not really sure I would have to talk to the one who configured it.

We currently have this configuration set up using an ASA 5510 firewall, but it is going end of life so we are trying to replace it with a globalprotect VPN and that hits Radius/OTP followed by LDAP and we do want them to enter OTP even when on the internal network

It also looks, if i am reading it right, that you can configure it so it only makes you do the OTP login at the portal and passes the information encrypted , via cookie?, to the gateway

Yes we use cookie auth with OTP.

 

it saves the user entering twice, plus, the user will have to wait the set time for a new passcode to be generated, depending on OTP system. We do not allow passcode re-use.

 

also note that you are stuffed if the portal is unavailable for any reason and your GP client uses last known cached config.

 

for what you require i would go Ldap for portal and OTP for gateway, this is assuming you have 3 factors for OTP.

 

something you are, have and know vs ldap, something you are and know. 

@OtakarKlier

I checked with the server builder and apparrently twe do have radius,OTP and LDAP on the same server so we are good. I have most everything configured now so on to testing

Good to hear. Also all traffic that the GP client passes after its initial contact with the Portal interface is encrypted. There are many ways to do this like Mich mentioned. Just depepnds on what you want to do and what the customer experience is.

  • 6205 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!