- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-17-2023 10:02 AM
Hello Folkes,
I am demoing a PA-1410 and am having a use case problem.
We currently use Pulse Secure VPN concentrators, and are looking for an alternative due to past security issues..
The Pulse concentrator works to allow us to:
- Login w/ Radius Username + Password
- Then get a secondary MFA login to authenticate against an RSA ACE server for our second factor.
- This setup allows the Pulse concentrator to broker both pieces of the auth process.
The Palo device appears to not support on-premises MFA for SecurID, only cloud based.
The person who administers the RSA SecurID server tells me that if he enables the radius server on the RSA application, then all connections that authenticate through that server will require two factor. (It is an all or nothing approach)
Our environment requires that we have classes of authentication. We want certain external connected type devices to require two factor (The VPN concentrators would be one) and with internal connections we want to authenticate against the radius server only.
I think that I can configure free-radius to do this with a proxied connection to the RSA server with certain auth groups, but I'm not sure. The documentation on this is rather weak.
Does anyone have any experience with this problem space? Can you point me to some documentation?
Thanks,
Paul Diggins
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!