- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-25-2018 08:20 AM
So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?
06-25-2018 11:54 AM
Hello,
Are you stating you wish to do 3 authentication methods?
RADIUS -> OTP ->LDAP
I would say that the OTP is your most secure and the LDAP and/or radius would be backup.
Regards,
06-25-2018 12:23 PM
LOL, I guess that would be 3 factor indeed, as requested by my coworker and based on how it was set up on an ASA 5510 thant I am trying to replace. So do you think it is possible?
06-25-2018 01:19 PM
Actually I think that the Radius is serving out the OTP, I will have to check with the guy who is working on that portion of the VPN access
06-25-2018 02:06 PM
So OTP on the PAN is setup as radius. If its just OTP then LDAP that is 100% doable. In the past I just made the Portal Authentication the OTP and Gateway authentication LDAP. I havent tried the Multi-Factor Auth feature or the Authentication sequence.
06-26-2018 05:38 AM
Correct the server that we created to do radius also has OTP on it and I have created a server profile for it. So what I need to know is do you set up radius for the portal and LDAP for the gateway or what combination does it have to be, which is what it sounds like you did? So does that mean they have to enter a username and password twice?
06-26-2018 06:34 AM
Hello,
So when i was doing it, our OTP solution was an actual hand held time based token that a user had to enter the pin+code. So in this scenario, yes the user had to enter their username twice, once for each popup box.
Since then there have been some improvements:
If your OTP is one of hte ones listed in the MultiFactor Authentication, the user experience should be different.
Hope this helps.
06-26-2018 07:50 AM - edited 06-26-2018 07:51 AM
Yes we do OTP on other things the same way with the a code generator. I suspect our users will be prompted to long in twice as well and at this point we are limited to what 7.1.16 offers us since I have not had the time to upgrade to version 8 of the OS yet
06-26-2018 08:47 AM
I would do...
- LDAP only on the Portal
- RADIUS(OTP) on the Gateway
...Enabling 2-factor on the Portal may cause your users to have to enter in a OTP even when on your internal network. Is your OTP solution capable of authenticating LDAP as well? (ex. LDAP+OTP over the RADIUS protocol).
06-26-2018 08:53 AM
No my radius server for the OTP is not setup for LDAP and I don't believe it is capable of doing LDAP I am not really sure I would have to talk to the one who configured it.
We currently have this configuration set up using an ASA 5510 firewall, but it is going end of life so we are trying to replace it with a globalprotect VPN and that hits Radius/OTP followed by LDAP and we do want them to enter OTP even when on the internal network
06-26-2018 09:36 AM
It also looks, if i am reading it right, that you can configure it so it only makes you do the OTP login at the portal and passes the information encrypted , via cookie?, to the gateway
06-26-2018 11:14 AM
Yes we use cookie auth with OTP.
it saves the user entering twice, plus, the user will have to wait the set time for a new passcode to be generated, depending on OTP system. We do not allow passcode re-use.
also note that you are stuffed if the portal is unavailable for any reason and your GP client uses last known cached config.
for what you require i would go Ldap for portal and OTP for gateway, this is assuming you have 3 factors for OTP.
something you are, have and know vs ldap, something you are and know.
06-26-2018 12:53 PM
I checked with the server builder and apparrently twe do have radius,OTP and LDAP on the same server so we are good. I have most everything configured now so on to testing
06-26-2018 02:18 PM
Good to hear. Also all traffic that the GP client passes after its initial contact with the Portal interface is encrypted. There are many ways to do this like Mich mentioned. Just depepnds on what you want to do and what the customer experience is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!