- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-14-2024 01:13 AM
I have two inquiries regarding GlobalProtect VPN:
Password Change: Is there a feature that mandates users to change their GlobalProtect VPN password after their initial login?
MFA Support: Does GlobalProtect VPN support Multi-Factor Authentication (MFA) using Google Authenticator?"
Best Regards
12-17-2024 01:02 PM - edited 12-17-2024 01:02 PM
Hi @GWong4 ,
Changing your password upon first logon while connecting to GP and using local user database auth is not natively supported, but you can enforce it using other auth methods like ldap, radius, and saml. For example, user signs into GP that initiates a saml auth request to your IdP of choice. An embedded browser pops-up to sign into your sso service url and your IdP forces users to change their password. Once completed, the IdP sends a saml response back to GP, allowing access. **This can work with radius/ldap server as well. You can also throw in Google Authenticator into the mix through radius or saml.
Are you looking to deploy GlobalProtect for the first time? Do you have an idea of how you want to handle authentication?
Happy to help!
12-17-2024 01:02 PM - edited 12-17-2024 01:02 PM
Hi @GWong4 ,
Changing your password upon first logon while connecting to GP and using local user database auth is not natively supported, but you can enforce it using other auth methods like ldap, radius, and saml. For example, user signs into GP that initiates a saml auth request to your IdP of choice. An embedded browser pops-up to sign into your sso service url and your IdP forces users to change their password. Once completed, the IdP sends a saml response back to GP, allowing access. **This can work with radius/ldap server as well. You can also throw in Google Authenticator into the mix through radius or saml.
Are you looking to deploy GlobalProtect for the first time? Do you have an idea of how you want to handle authentication?
Happy to help!
12-17-2024 06:49 PM
Hi jayGolf,
Thanks for the explanation is because the GP is mainly for external vendor use. Hence I think it is better isolated the external vendor login via firewall features itself.
Anyway thanks for the explanation
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!