RSA + LDAP (AD) authentication for GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RSA + LDAP (AD) authentication for GlobalProtect

L1 Bithead

We're trying to use both RSA token (soft/hard) and AD password to authenticate certain users for GlobalProtect using the client app (not in a browser). The RSA connection is set up to our local RSA servers via RADIUS.

 

Either auth method works fine on its own, and so far the only way I can get both to work is to have the portal query for one and the gateway query for the other, with no authentication cookie.

 

I tried an authentication sequence but that didn't work. It let me in after the first set of credentials were entered. I'm under the impression that an auth sequence just tries the methods in order until one succeeds; it doesn't force multiple methods.

 

Also this: With the portal asking for one and the gateway asking for the other I get 2 separate popups for credentials as expected. But when the 2nd appears it has a big red "Authentication Failed" message in it even though the first authentication (be it RSA or AD) didn't actually fail. Then I enter the 2nd set of credentials and I'm in no problem. But that message is going to be hugely confusing to users.

 

So... am I doing something wrong or missing something obvious here? Thanks!

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @ccvega ,

 

The most common way to configure GP with RSA MFA is to configure a RADIUS Server Profile pointed to RSA Authentication Manager (VM) which then uses LDAP to authenticate the user against AD and perform MFA for the single login.

 

Would your "local RSA servers" happen to be RSA Authentication Manager?  If so, you should be able to add AD as an LDAP directory.

 

You are correct that an Authentication Sequence will not work.  It is meant for fallback or redundancy, not multiple authentications.

 

The separate methods for the portal and gateway was innovative, but the portal automatically caches the credentials and sends them to the gateway so that the user is not given multiple prompts.  This behavior happens regardless of whether authentication cookies are configured.  When you test each method separately, I assume you are only prompted once yet you logged in to both the portal and gateway.  So, it was the portal credentials that failed against the gateway.  I agree that "that message is going to be hugely confusing to users."

 

The final piece after you configure the RSA Authentication Manager is to configure authentication cookies because you would rather not prompt the users for MFA twice.  Configure the portal to generate the cookie and the gateway to accept the cookie.

 

https://community.rsa.com/s/article/Palo-Alto-NGFW-10-1-7---RSA-Ready-Implementation-Guide

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks for the info. We do indeed have RSA Authentication Manager, and it is currently checking for the presence and status of an AD account at least. Luckily I think we have come up with another solution, so we hopefully won't have to be asking for AD passwords on top of the RSA passcode.

  • 1283 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!