06-01-2024 02:09 PM
Hello,
I need to integrate my FortiAuthenticator, which is located at a remote site, with my PA firewall to add additional authentication factors for users connecting to GlobalProtect.
I haven't been able to find the documentation and procedures to accomplish this. I would appreciate it if someone with experience in this could provide the necessary requirements and configuration steps.
Thank you in advance.
06-06-2024 07:34 AM
Hi @hamza_d ,
Q: Could you clarify what you mean by "native MFA"?
A: Please check the link I provided earlier. I have never had an use case to use this, but my understanding is that FW is communicating with some kind of API with one of those IdP services (Okta, Duo etc) instead of the using additional auth protocol
Q: Based on your experience, which is recommended: using FortiAuthenticator
A: I would say this is heavilty depends on your requirements, environment and setup. Lately more people are prefering SAML mainly because it could provide great Single Sign-On experience for the end users. Also with RADIUS I am not sure you can have "push notification" for MFA, user will need to manually type the one-time-password. While with SAML you can have push notifcation, allowing the user just to click "approve" button
06-03-2024 02:09 AM
Hi @hamza_d ,
I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...
There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support
However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.
You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.
06-03-2024 04:30 PM
Thanks, @aleksandar.astardzhiev,
Could you clarify what you mean by "native MFA"? Based on your experience, which is recommended: using FortiAuthenticator as a RADIUS server or as an IdP server (SAML)?
06-05-2024 03:41 PM
Hi @aleksandar.astardzhiev ,
I am waiting for your response.
Thank you.
06-06-2024 06:48 AM
@aleksandar.astardzhiev wrote:
Hi @hamza_d ,
I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...
There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support
However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.
You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.
@aleksandar.astardzhiev wrote:
Hi @hamza_d ,
I am guessing you are talking about the "native MFA" functionallity described here - https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-aut...
There you can see that this can be only used with handful of third party IdPs like PingID, Okta, Duo - https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support
However as any other firewall vendor you can enable MFA using any of the other standard authentication methods - RADIUS, TACACS, SAML.
You can find instructions how to configure any of these auth. protocols in the first link above. The next step is to enable the MFA, but this is all done on the FortiAuthenticator.
Native MFA means native multi factor authentication
06-06-2024 07:34 AM
Hi @hamza_d ,
Q: Could you clarify what you mean by "native MFA"?
A: Please check the link I provided earlier. I have never had an use case to use this, but my understanding is that FW is communicating with some kind of API with one of those IdP services (Okta, Duo etc) instead of the using additional auth protocol
Q: Based on your experience, which is recommended: using FortiAuthenticator
A: I would say this is heavilty depends on your requirements, environment and setup. Lately more people are prefering SAML mainly because it could provide great Single Sign-On experience for the end users. Also with RADIUS I am not sure you can have "push notification" for MFA, user will need to manually type the one-time-password. While with SAML you can have push notifcation, allowing the user just to click "approve" button
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
