GlobalProtect VPN Enforcing Password Changes and Google Authenticator MFA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect VPN Enforcing Password Changes and Google Authenticator MFA

L1 Bithead

I have two inquiries regarding GlobalProtect VPN:

  1. Password Change: Is there a feature that mandates users to change their GlobalProtect VPN password after their initial login?

  2. MFA Support: Does GlobalProtect VPN support Multi-Factor Authentication (MFA) using Google Authenticator?"

Best Regards

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @GWong4 ,

 

Changing your password upon first logon while connecting to GP and using local user database auth is not natively supported, but you can enforce it using other auth methods like ldap, radius, and saml. For example, user signs into GP that initiates a saml auth request to your IdP of choice. An embedded browser pops-up to sign into your sso service url and your IdP forces users to change their password. Once completed, the IdP sends a saml response back to GP, allowing access. **This can work with radius/ldap server as well. You can also throw in Google Authenticator into the mix through radius or saml. 

 

Are you looking to deploy GlobalProtect for the first time? Do you have an idea of how you want to handle authentication? 

 

Happy to help! 

 

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

2 REPLIES 2

Community Team Member

Hi @GWong4 ,

 

Changing your password upon first logon while connecting to GP and using local user database auth is not natively supported, but you can enforce it using other auth methods like ldap, radius, and saml. For example, user signs into GP that initiates a saml auth request to your IdP of choice. An embedded browser pops-up to sign into your sso service url and your IdP forces users to change their password. Once completed, the IdP sends a saml response back to GP, allowing access. **This can work with radius/ldap server as well. You can also throw in Google Authenticator into the mix through radius or saml. 

 

Are you looking to deploy GlobalProtect for the first time? Do you have an idea of how you want to handle authentication? 

 

Happy to help! 

 

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Hi jayGolf,

Thanks for the explanation is because the GP is mainly for external vendor use. Hence I think it is better isolated the external vendor login via firewall features itself. 

Anyway thanks for the explanation 

  • 1 accepted solution
  • 190 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!