Global protect step by step with Pointsharp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect step by step with Pointsharp

L1 Bithead

Hello,

 

I'm interested in IT and I'm a beginner.

 

I read some documents on the internet

Could you please correct me to know if I have understood correctly?

 

When a customer connects with his login and password to his company's vpn using global protect.

Step 1) the Pointsharp server makes a request to the active directory to confirm the login and password

2) when the login and password are ok the Pointsharp server sends a token to the client 

3) the client sends the token back to the Pointsharp server

4) the client is connected to the vpn

1 accepted solution

Accepted Solutions

L6 Presenter

Yes, that is correct, the token is a code. In a real quick read, it appears to be a standard time based OTP (not 100% sure, but the specification sheet talks about options for hardware tokens, OATH, GoogleAuth, MicrosoftAuth, etc.).

 

The way this works is that the client is initially given a special authentication seed when enrolled, which is unique to each user. The client Pointsharp application (or GoogleAuth/etc.) then calculates a token at any given point in time from the original seed. So from 12:04:00 to 12:04:59 today it calculates token "394 019". At 12:05:00 that changes to "823 317". Then at 12:06:00 it becomes "910 006"... etc. You need to respond to the Pointsharp server with the appropriate token at the appropriate time, either by hitting "Confirm" in the Pointsharp app (it submits the token in the background) or typing in the token generated by GoogleAuth/etc.

 

Pointsharp server -> client: what is your token?

Client calculates: Initial seed + current time = token

Client -> Pointsharp server: the token is 012 345

Pointsharp server calculates and compares: [012 345] <?> client seed + current time

 

With time based OTPs/OATH it is very important that both the server and the client maintain accurate time as the OTP token is only valid for a short period. Usually there is a grace period where the previous/next code in line will also work, but generally clocks need to be within 60-90 seconds of each other.

 

There are also other types OTP such a pre-generated lists and next-token-calculated-from-previous-token, but given that they talk about using standard OATH-compliant clients I don't believe these apply.

View solution in original post

4 REPLIES 4

L6 Presenter

I have not heard of Pointsharp before, but it appears to be just another MFA server product, like DUO, Okta, or AzureMFA. Your description is mostly right, the basic flow is like:

  1. The client tries to connect to the VPN with GlobalProtect and enters username/password.
  2. The PaloAlto passes the user/pass to Pointsharp via LDAP/Radius for authentication.
  3. Pointsharp verifies the user/pass against AD and, if OK, requests a token from the client via a second connection (app, SMS, etc.)
  4. The client responds with a OTP token to Pointsharp.
  5. Pointsharp responds to the original LDAP/Radius query from PaloAlto with an accept/reject login status.
  6. The PaloAlto connects the client to the VPN.

Ok @Adrian_Jensen I d on't understand the token part

The token IS a code?

The Pointsharp server send the token on my mobile phone and when I click " confirm" on the Pointsharp application. I send the same token to the Pointsharp server?

Could you please explain me

L6 Presenter

Yes, that is correct, the token is a code. In a real quick read, it appears to be a standard time based OTP (not 100% sure, but the specification sheet talks about options for hardware tokens, OATH, GoogleAuth, MicrosoftAuth, etc.).

 

The way this works is that the client is initially given a special authentication seed when enrolled, which is unique to each user. The client Pointsharp application (or GoogleAuth/etc.) then calculates a token at any given point in time from the original seed. So from 12:04:00 to 12:04:59 today it calculates token "394 019". At 12:05:00 that changes to "823 317". Then at 12:06:00 it becomes "910 006"... etc. You need to respond to the Pointsharp server with the appropriate token at the appropriate time, either by hitting "Confirm" in the Pointsharp app (it submits the token in the background) or typing in the token generated by GoogleAuth/etc.

 

Pointsharp server -> client: what is your token?

Client calculates: Initial seed + current time = token

Client -> Pointsharp server: the token is 012 345

Pointsharp server calculates and compares: [012 345] <?> client seed + current time

 

With time based OTPs/OATH it is very important that both the server and the client maintain accurate time as the OTP token is only valid for a short period. Usually there is a grace period where the previous/next code in line will also work, but generally clocks need to be within 60-90 seconds of each other.

 

There are also other types OTP such a pre-generated lists and next-token-calculated-from-previous-token, but given that they talk about using standard OATH-compliant clients I don't believe these apply.

thank you very much @Adrian_Jensen !!!! I understand all of your explanation !! You are thé best !

  • 1 accepted solution
  • 2033 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!