02-21-2024 03:13 PM
We're trying to use both RSA token (soft/hard) and AD password to authenticate certain users for GlobalProtect using the client app (not in a browser). The RSA connection is set up to our local RSA servers via RADIUS.
Either auth method works fine on its own, and so far the only way I can get both to work is to have the portal query for one and the gateway query for the other, with no authentication cookie.
I tried an authentication sequence but that didn't work. It let me in after the first set of credentials were entered. I'm under the impression that an auth sequence just tries the methods in order until one succeeds; it doesn't force multiple methods.
Also this: With the portal asking for one and the gateway asking for the other I get 2 separate popups for credentials as expected. But when the 2nd appears it has a big red "Authentication Failed" message in it even though the first authentication (be it RSA or AD) didn't actually fail. Then I enter the 2nd set of credentials and I'm in no problem. But that message is going to be hugely confusing to users.
So... am I doing something wrong or missing something obvious here? Thanks!
02-21-2024 08:06 PM - edited 02-22-2024 03:09 AM
Hi @ccvega ,
The most common way to configure GP with RSA MFA is to configure a RADIUS Server Profile pointed to RSA Authentication Manager (VM) which then uses LDAP to authenticate the user against AD and perform MFA for the single login.
Would your "local RSA servers" happen to be RSA Authentication Manager? If so, you should be able to add AD as an LDAP directory.
You are correct that an Authentication Sequence will not work. It is meant for fallback or redundancy, not multiple authentications.
The separate methods for the portal and gateway was innovative, but the portal automatically caches the credentials and sends them to the gateway so that the user is not given multiple prompts. This behavior happens regardless of whether authentication cookies are configured. When you test each method separately, I assume you are only prompted once yet you logged in to both the portal and gateway. So, it was the portal credentials that failed against the gateway. I agree that "that message is going to be hugely confusing to users."
The final piece after you configure the RSA Authentication Manager is to configure authentication cookies because you would rather not prompt the users for MFA twice. Configure the portal to generate the cookie and the gateway to accept the cookie.
https://community.rsa.com/s/article/Palo-Alto-NGFW-10-1-7---RSA-Ready-Implementation-Guide
Thanks,
Tom
02-28-2024 08:54 AM
Thanks for the info. We do indeed have RSA Authentication Manager, and it is currently checking for the presence and status of an AD account at least. Luckily I think we have come up with another solution, so we hopefully won't have to be asking for AD passwords on top of the RSA passcode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
