Radius & OTP Globalprotect VPN

cancel
Showing results for 
Search instead for 
Did you mean: 

Radius & OTP Globalprotect VPN

L4 Transporter

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello,

Are you stating you wish to do 3 authentication methods?

 

RADIUS -> OTP ->LDAP

 

I would say that the OTP is your most secure and the LDAP and/or radius would be backup.

 

Regards,

@OtakarKlier

LOL, I guess that would be 3 factor indeed, as requested by my coworker and based on how it was set up on an ASA 5510 thant I am trying to replace. So do you think it is possible?

@OtakarKlier

Actually I think that the Radius is serving out the OTP, I will have to check with the guy who is working on that portion of the VPN access

So OTP on the PAN is setup as radius. If its just OTP then LDAP that is 100% doable. In the past I just made the Portal Authentication the OTP and Gateway authentication LDAP. I havent tried the Multi-Factor Auth feature or the Authentication sequence.

Correct the server that we created to do radius also has OTP on it and I have created a server profile for it. So what I need to know is do you set up radius for the portal and LDAP for the gateway or what combination does it have to be, which is what it sounds like you did? So does that mean they have to enter a username and password twice?

Hello,

So when i was doing it, our OTP solution was an actual hand held time based token that a user had to enter the pin+code. So in this scenario, yes the user had to enter their username twice, once for each popup box.

 

Since then there have been some improvements:

 

https://live.paloaltonetworks.com/t5/Integration-Articles/GlobalProtect-One-Time-Password-based-Two-...

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

If your OTP is one of hte ones listed in the MultiFactor Authentication, the user experience should be different.

 

Hope this helps.

@OtakarKlier

Yes we do OTP on other things the same way with the a code generator.  I suspect our users will be prompted to long in twice as well and at this point we are limited to what 7.1.16 offers us since I have not had the time to upgrade to version 8 of the OS yet

I would do...

- LDAP only on the Portal

- RADIUS(OTP) on the Gateway

 

...Enabling 2-factor on the Portal may cause your users to have to enter in a OTP even when on your internal network.  Is your OTP solution capable of authenticating LDAP as well? (ex. LDAP+OTP over the RADIUS protocol).  

@jambulo

No my radius server for the OTP is not setup for LDAP and I don't believe it is capable of doing LDAP I am not really sure I would have to talk to the one who configured it.

We currently have this configuration set up using an ASA 5510 firewall, but it is going end of life so we are trying to replace it with a globalprotect VPN and that hits Radius/OTP followed by LDAP and we do want them to enter OTP even when on the internal network

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!