two factor authenticaton tokens with PAN firewalls...

Showing results for 
Search instead for 
Did you mean: 

two factor authenticaton tokens with PAN firewalls...

L0 Member

I am looking for a two factor authentiction solution for PAN firewalls (Global Protect).  particularly interested in a Mobile phone base app to provide security token or OTP to authenticate users via Global Protect.  Anybody have any good or bad experiences with these?


L6 Presenter

L0 Member

I tested RSA via Radius for our vpn a few months back on 4.1.3-.4 and while I was able to get authentication working, it was not a very supportable setup. 

The globalprotect client sends the same password for the portal and the gateway when connecting. This caused big issues since rsa passcodes are only good for one use. It was extremely easy to lock out a users account on the rsa server if you miskeyed a passcode more than once on a connect attempt.  Also the user had to log in once, then wait for the 2nd logon up to 59 seconds until the token cycled to the next code, before being able to connect.

The workaround for this was to use AD authentication for the portal and have the users first log in with the AD credentials, then when prompted for a 2nd logon for the gateway the user would use the RSA credentials.  Another workaround that was proposed by support was to make the portal unreachable via the internet to force the globalprotect client to use the last cached configuration and eliminate the portal logon piece of the process when connecting remotely.  Since I had to set up users that were 100% remote I went with the first workaround so they could get to the portal remotely.

After testing with some of my users we decided to stick with our existing vpn setup until the PA solution matures a bit more to avoid the headache of dealing with users constantly being confused about which password to enter.

The last I heard from PA support,  real one time password support was not expected to happen any time soon.  Seeing the link provided above, I wonder if something has changed recently.

thanks for the input. good info...


For better user experience, maybe we can use SSO for GP Portal and GP Gateway authentication (transparent for users) and use OTP on Captive Portal to go from "Grobal Protect" zone to the "protected ressources" zone.

By this way, we have only one visible authentication (for the user) : OTP

That's wrong or not?

the RSA/GP solution is not enterprise ready to say the least.

My recommendation if you want to move with this LDPAP auth the portal, RSA the gateway its horrible technically but as close as you will get with out a certificate server

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!