Configure TOTP (Google Authenticator) for GlobalProtect

Reply
Highlighted
L0 Member

Configure TOTP (Google Authenticator) for GlobalProtect

I have looked at the different support documents and previous discussions but have not gotten much wiser. 

 

I need to have a handful of users connect to GlobalProtect with TOTP as the second authentication factor. Since the number of users are so low, they can either live on our LDAP service (preferred) or as local users. The TOTP is  to be verified by existing RADIUS.

 

On existing solutions, such as Cisco ASA (AnyConnect), the authentication flow is as follows for on demand VPN:

 

a) user provides username, password and one time password on login screen

b) username and password is used to authenticate against LDAP 

c) username and one time password is sent to RADIUS for match against the TOTP backend

d) user is logged in

 

On PaloAlto I would perhaps expect the flow to be something like:

 

a) user provides username and password to GP portal

b) username and password is authenticated against LDAP (or local user database)

c) gp portal checks for valid authentication cookie, if valid go last step

d) ask user for one time password

e) username and one time password is sent to RADIUS for match again TOTP backend

f) set authentication cookie

g) authentication override allows user to connect to GP gateway using authentication cookie

 

Is it possible to set up something like this, or do we need to build a completely different RADIUS TOTP setup just for GP?

 

Highlighted
L0 Member

Re: Configure TOTP (Google Authenticator) for GlobalProtect

I would love an answer to this as well!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!