I am looking for a two factor authentiction solution for PAN firewalls (Global Protect). particularly interested in a Mobile phone base app to provide security token or OTP to authenticate users via Global Protect. Anybody have any good or bad experiences with these?
I tested RSA via Radius for our vpn a few months back on 4.1.3-.4 and while I was able to get authentication working, it was not a very supportable setup.
The globalprotect client sends the same password for the portal and the gateway when connecting. This caused big issues since rsa passcodes are only good for one use. It was extremely easy to lock out a users account on the rsa server if you miskeyed a passcode more than once on a connect attempt. Also the user had to log in once, then wait for the 2nd logon up to 59 seconds until the token cycled to the next code, before being able to connect.
The workaround for this was to use AD authentication for the portal and have the users first log in with the AD credentials, then when prompted for a 2nd logon for the gateway the user would use the RSA credentials. Another workaround that was proposed by support was to make the portal unreachable via the internet to force the globalprotect client to use the last cached configuration and eliminate the portal logon piece of the process when connecting remotely. Since I had to set up users that were 100% remote I went with the first workaround so they could get to the portal remotely.
After testing with some of my users we decided to stick with our existing vpn setup until the PA solution matures a bit more to avoid the headache of dealing with users constantly being confused about which password to enter.
The last I heard from PA support, real one time password support was not expected to happen any time soon. Seeing the link provided above, I wonder if something has changed recently.
For better user experience, maybe we can use SSO for GP Portal and GP Gateway authentication (transparent for users) and use OTP on Captive Portal to go from "Grobal Protect" zone to the "protected ressources" zone.
By this way, we have only one visible authentication (for the user) : OTP
That's wrong or not?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!