We have recently purchased a Palo Alto firewall and connect to the VPN using GlobalProtect.
For Teams/Sharepoint etc. We use Azure MFA where a push notification comes through to the authenticator app and to get this working on GlobalProtect we had to set up a radius server.
The reason we can't use Azure MFA with GlobalProtect is that we want someone to be prompted for MFA every time they connect to the VPN. This works with radius but with Azure MFA you only get prompted once per hour.
The problem we have is that now we can't use single sign on for Global Protect as this doesn't work with Radius.
Is there any way around this - so we can have single sign on and be prompted for MFA on the microsoft authenticator app every time?
I am not sure if I understand your question, so let me know if I got it wrong.
If you want GlobalProtect to prompt user only once every hour, the simple way is to use Cookie Authentication on the Portal or Gateway (paloaltonetworks.com)
Basically when user have authenticated successfully, FW will generate a cookie which will be sent to the GP client (you can configure the lifetime duration of the cookie, aka how long after its creations is considered valid). Upon next connection GP client will first send it cookie (if such exist on the machine), FW will check its validity and if it valid will authenticate the user without prompting the user for credentials.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!