Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Configure TOTP (Google Authenticator) for GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configure TOTP (Google Authenticator) for GlobalProtect

L0 Member

I have looked at the different support documents and previous discussions but have not gotten much wiser. 

 

I need to have a handful of users connect to GlobalProtect with TOTP as the second authentication factor. Since the number of users are so low, they can either live on our LDAP service (preferred) or as local users. The TOTP is  to be verified by existing RADIUS.

 

On existing solutions, such as Cisco ASA (AnyConnect), the authentication flow is as follows for on demand VPN:

 

a) user provides username, password and one time password on login screen

b) username and password is used to authenticate against LDAP 

c) username and one time password is sent to RADIUS for match against the TOTP backend

d) user is logged in

 

On PaloAlto I would perhaps expect the flow to be something like:

 

a) user provides username and password to GP portal

b) username and password is authenticated against LDAP (or local user database)

c) gp portal checks for valid authentication cookie, if valid go last step

d) ask user for one time password

e) username and one time password is sent to RADIUS for match again TOTP backend

f) set authentication cookie

g) authentication override allows user to connect to GP gateway using authentication cookie

 

Is it possible to set up something like this, or do we need to build a completely different RADIUS TOTP setup just for GP?

 

11 REPLIES 11

L0 Member

I would love an answer to this as well!

L2 Linker

Same here minus the RADIUS server.  If I avoid using two-factor authentication with GlobalProtect to authenticate to the gateway or portal, it should be possible to use GlobalProtect to notify the user about an authentication policy match (UDP message), a Multi Factor Authentication server profile would be sufficient, yes?  Specifically, I would like to know how this would work with Google Authenticator.

D. Elliott

UPDATE:  TAC response.


For remote user authentication to GlobalProtect portals and gateways, the firewall integrates with MFA vendors using RADIUS and SAML only. As of now, The Google authenticator app is not supported by Palo Alto for multi-factor authentication. Supported MFA vendors are Okta, PingID, RSA token, DUO. Below document explains about the Multi Factor authentication in detail.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmSm

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authentication-types/multi-...

D. Elliott

L0 Member

Both of those links are broken, are there updated ones?

L0 Member

Now 3 years has passed. Any updates here? Those two links still seem broken.

Community Team Member

Hi @EStangeland ,

 

Here's the compatibility matrix for MFA vendor support:

https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table#i...


Here are some updated links to replace the old ones:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/authentication-types/multi...

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-user-authenti...

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hi everyone,

 

For those organizations that need to configure GlobalProtect with Google Authenticator, there are a couple of options.

 

  1. Configure a RADIUS server that handles both the primary and MFA authentication.  Here is one that uses AD and Google Authenticator.  https://kb.hillstonenet.com/en/wp-content/uploads/2019/09/SSLVPN-Two-factor-Authentication-with-Goog... 
  2. If you have Google Workspace accounts, you can enable MFA on it and connect to it with SAML.  https://www.youtube.com/watch?v=BANa4rFh1Ck   https://www.bitbodyguard.com/articles/palo-alto-networks/google-cloud-identity-as-saml-idp/

I have not configured Google MFA, but I have done these solutions with other products.  I found the links through Google.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L0 Member

I tried SAML against Microsoft 365 in lab. It works.

 

But if you need multi tenant, and at same time avoid having to create one GP gateway per tenant, you still have a problem.

I did some experiments using https://login.microsoftonline.com/common/saml2 - but still without finding a working setup for multi tenant.

L1 Bithead

Hello
I have in my infrastructure a double authentication factor for global protect users.
For them I used Cisco Duo, the connection and integration is really easy.
With this I can control the double factor through an external RAdius server.

L1 Bithead

I have a mostly working PoC with RADIUS: freeradius 3.2 (3.0 also works) on Linux with google-authenticator via PAM that uses non-Linux-Users in a centralized directory.

- Stuff that works: 2FA as such via RADIUS

  + Login with username and password against AD LDAPS

  + Separate Challenge Screen afterwards for google-authenticator

- Stuff that needs to work before the PoC is acceptable for production:

  + How do I get the LDAP groups for UserID with RADIUS-Authentication? [not yet researched]

  + Validate that Users are members of the Global-Protect-VPN-Group in LDAP, fail authentication otherwise - without hardcoding the LDAP group check in the RADIUS configuration [not yet researched. Workaround: Hardcode in the RADIUS config file]

  + How do I manage to run the RADIUS-Service as HA (google-authenticator uses one file per user that contains state, i.e. they are written to with each attempted access). No DB support. [Untested solution idea]

  + How do I implement this with EAP-GTC on freeradius/PA? [current implementation is using PAP and as PA does not support RADSEC, I need something that satisfies BSI (Germany) security requirements - which classical RADIUS PAP security doesn't.]

 

And before anyone asks: Once this works I'll post a solution here for review/feedback/possible improvements 🙂

L0 Member

Hi, have two authentication factors for global Purva Tranquillity protect users in my infrastructure. 

  • 32301 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!