Enable DUO for GlobalProtect

cancel
Showing results for 
Search instead for 
Did you mean: 

Enable DUO for GlobalProtect

L0 Member

Hello, 

 

I am looking into enabling DUO for GlobalProtect. I am aware that DUO and Palo Alto supports three ways to enable MFA:

 

DUO's RADIUS proxy server

DUO Access Gateway (DAG)

SAML (e.g., Azure, Okta)

 

I tried all 3 of them, and I am leaning more towards SAML since it's just easier and supports the DUO prompts. I have a few questions and I was hoping someone could guide me:

 

1-Whenever I try to authenticate with either method above, I get prompted for DUO twice, one for the portal, and one for the gateway (which makes sense). Is there a way to get around this without using cookies?

 

2-Assuming that cookies are required for question 1, is it ok to use the same certificate to encrypt/decrypt cookies, and also install the certificate along with the private key on the client? Unfortunately we don't have a way of pushing the certs to endpoints, so I have to rely on the firewall doing the installation. I am going to assume yes since it should be the same? Any security risk associated?

 

3-If I have to use cookies + certificate, is it ok to simply use a self signed Root CA for this? Or should it be the root + intermediate + client cert, and use the client cert to install on the device, and the root cert to do the encryption/decryption?

 

Any help on this will be greatly appreciate it.

 

Thank you in advance! 

 

Screen Shot 2021-08-31 at 7.33.36 PM.pngScreen Shot 2021-08-31 at 7.33.54 PM.png

 

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!