08-31-2021 04:35 PM
Hello,
I am looking into enabling DUO for GlobalProtect. I am aware that DUO and Palo Alto supports three ways to enable MFA:
DUO's RADIUS proxy server
DUO Access Gateway (DAG)
SAML (e.g., Azure, Okta)
I tried all 3 of them, and I am leaning more towards SAML since it's just easier and supports the DUO prompts. I have a few questions and I was hoping someone could guide me:
1-Whenever I try to authenticate with either method above, I get prompted for DUO twice, one for the portal, and one for the gateway (which makes sense). Is there a way to get around this without using cookies?
2-Assuming that cookies are required for question 1, is it ok to use the same certificate to encrypt/decrypt cookies, and also install the certificate along with the private key on the client? Unfortunately we don't have a way of pushing the certs to endpoints, so I have to rely on the firewall doing the installation. I am going to assume yes since it should be the same? Any security risk associated?
3-If I have to use cookies + certificate, is it ok to simply use a self signed Root CA for this? Or should it be the root + intermediate + client cert, and use the client cert to install on the device, and the root cert to do the encryption/decryption?
Any help on this will be greatly appreciate it.
Thank you in advance!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
