GlobalProtect MFA With Radius and Email

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect MFA With Radius and Email

L1 Bithead

Has anyone setup a free MFA with GlobalProtect?  I was thinking something along the lines of using a FreeRadius server to generate an email code to the user.  It has to be doable...  FreeRadius, connected to LDAP/AD, pulls the email address and sends a code, which the user appends to their password on the GlobalProtect Client.

 

Doable?  Or wishful thinking?

1 ACCEPTED SOLUTION

Accepted Solutions

What kind of 2nd factors do you want to use and where are your users located?

Note, that certain authentication mechanism will not work through RADIUS like WebAuthn, PUSH tokens in push mode...

However, HOTP, TOTP, Yubikeys (in OTP mode), SMS, Email... can technically work.

An important aspect is the enrollment process to get the 2nd factors to the users in a secure manner. You should put some thoughts into that.

 

LinOTP is rather cool but imho it is missing a dust off for a couple of years. You might want to take a look a the fork privacyIDEA, <disclaimer>which I started 7 years ago.</disclaimer> Also works well with paloalto and similar solutions.

It also allows you to automate processes - very interesting for the e.g. the enrollment, token replacement or whatever you can think of.

 

 

View solution in original post

5 REPLIES 5

L4 Transporter

DUO has a freeradius client for linux that's easily setup for MFA.  it's free for up to 10 users and readily works with GlobalProtect (it's just a RADIUS auth to GP).  

L1 Bithead

Thanks Robp.  Unfortunately I need this for hundreds (possibly more) users.  I just ran across LinOTP.  Anyone out there have experience with it?

not used it myself but is it actually a random passcode generator or does it just act as a man in the middle for tokens and users groups/id's.    still reading as may give it a go myself... 

What kind of 2nd factors do you want to use and where are your users located?

Note, that certain authentication mechanism will not work through RADIUS like WebAuthn, PUSH tokens in push mode...

However, HOTP, TOTP, Yubikeys (in OTP mode), SMS, Email... can technically work.

An important aspect is the enrollment process to get the 2nd factors to the users in a secure manner. You should put some thoughts into that.

 

LinOTP is rather cool but imho it is missing a dust off for a couple of years. You might want to take a look a the fork privacyIDEA, <disclaimer>which I started 7 years ago.</disclaimer> Also works well with paloalto and similar solutions.

It also allows you to automate processes - very interesting for the e.g. the enrollment, token replacement or whatever you can think of.

 

 

View solution in original post

This is a godsend!!!   Thank you Cornelinux, and thank you for your work on privacyIDEA.  This will be perfect!

 

I want to do a blend of Google Authenticator and email codes.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!