- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-09-2021 12:31 PM
Has anyone setup a free MFA with GlobalProtect? I was thinking something along the lines of using a FreeRadius server to generate an email code to the user. It has to be doable... FreeRadius, connected to LDAP/AD, pulls the email address and sends a code, which the user appends to their password on the GlobalProtect Client.
Doable? Or wishful thinking?
06-12-2021 03:14 AM
What kind of 2nd factors do you want to use and where are your users located?
Note, that certain authentication mechanism will not work through RADIUS like WebAuthn, PUSH tokens in push mode...
However, HOTP, TOTP, Yubikeys (in OTP mode), SMS, Email... can technically work.
An important aspect is the enrollment process to get the 2nd factors to the users in a secure manner. You should put some thoughts into that.
LinOTP is rather cool but imho it is missing a dust off for a couple of years. You might want to take a look a the fork privacyIDEA, <disclaimer>which I started 7 years ago.</disclaimer> Also works well with paloalto and similar solutions.
It also allows you to automate processes - very interesting for the e.g. the enrollment, token replacement or whatever you can think of.
06-09-2021 12:59 PM
DUO has a freeradius client for linux that's easily setup for MFA. it's free for up to 10 users and readily works with GlobalProtect (it's just a RADIUS auth to GP).
06-09-2021 01:07 PM
Thanks Robp. Unfortunately I need this for hundreds (possibly more) users. I just ran across LinOTP. Anyone out there have experience with it?
06-10-2021 05:50 AM
not used it myself but is it actually a random passcode generator or does it just act as a man in the middle for tokens and users groups/id's. still reading as may give it a go myself...
06-12-2021 03:14 AM
What kind of 2nd factors do you want to use and where are your users located?
Note, that certain authentication mechanism will not work through RADIUS like WebAuthn, PUSH tokens in push mode...
However, HOTP, TOTP, Yubikeys (in OTP mode), SMS, Email... can technically work.
An important aspect is the enrollment process to get the 2nd factors to the users in a secure manner. You should put some thoughts into that.
LinOTP is rather cool but imho it is missing a dust off for a couple of years. You might want to take a look a the fork privacyIDEA, <disclaimer>which I started 7 years ago.</disclaimer> Also works well with paloalto and similar solutions.
It also allows you to automate processes - very interesting for the e.g. the enrollment, token replacement or whatever you can think of.
06-12-2021 02:22 PM
This is a godsend!!! Thank you Cornelinux, and thank you for your work on privacyIDEA. This will be perfect!
I want to do a blend of Google Authenticator and email codes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!