DOTW: MFA and 2FA for GP and NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator

DOTW MFA and 2FA for GP and NGFW.png

Hello everyone! 

 

If you don't remember, we used to blog about different discussions that would come up on the LIVEcommunity discussion areas that we felt needed to be talked about in a weekly blog, aka Discussion of the Week (DOTW).

 

This week's topic is going to be talking about Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) for GlobalProtect (GP) and PAN-OS.

 

To start with, the main difference between MFA and 2FA is simple. Two-factor authentication always utilizes two of these factors to verify the user's identity. Multi-factor authentication could involve two of the factors or it could involve all three. “Multi-factor” just means any number of factors greater than one.

 

I am grouping these together in order to help clear up confusion as well as to help provide information and links on the configuration articles that we have on TechDocs.

 

There were actually 2 different threads that were talking about these subjects:

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-mfa-with-rsa-secureid-with-radius/...

https://live.paloaltonetworks.com/t5/general-topics/globalprotect-2fa/td-p/236374

 

Both of these threads are talking about ways to use MFA or 2FA with GlobalProtect. 

Now, these are topics that are covered in-depth inside the Administrator Guides that are located on Palo Alto Networks TechDocs site (https://docs.paloaltonetworks.com/), but I will try to talk a little about it here.

 

Overview of Multi Factor Authentication with Palo Alto Networks devicesOverview of Multi Factor Authentication with Palo Alto Networks devices

Configuring MFA and 2FA can be tricky at times, as there are many moving components to get this to work properly.

 

One thing to look at is the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.

 

The other is to ensure that the shared secret is set properly.

 

There are other things that can complicate things inside of the configurations, but it is always recommended that you start with the Admin Guides, and then if needed, reach out to others here on the LIVEcommunity Discussion Areas (General Topics or GlobalProtect Discussions) for help.

 

More Info

For all of the information on configuring Authentication, please see these Admin Guides from the TechDocs area:TechPubs-versions.png
Note: Please remember that there are different guides depending on what version you select.. so check the versions on the left hand side of the window. You even have options to download the PDF file!

For setting up GP 2FA, please see: Set Up Two-Factor Authentication, There are sections there for using Certificate and Auth profiles, One Time Passwords (OTP), Smart Cards, and even Software Tokens.

 

For setting up MFA and PAN-OS, please see: Configure Multi-Factor Authentication, there are sections there for RSA SecurID, Okta, and even Duo.

 

For MFA support, please see the MFA Vendor Support page

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

5 Comments
L3 Networker

Why GlobalProtect clients cannot use OTP from google Authernation to login . If it is possible can you please provide us the link ?

L7 Applicator

@NavidAlam 

There were a couple of articles that we have had that explain GP and OTP.. maybe not specifically with Google Auth.. but it should give you enough information to help.

 

Please check these 2 articles..

https://live.paloaltonetworks.com/t5/integration-articles/globalprotect-one-time-password-based-two-...

 

https://live.paloaltonetworks.com/t5/integration-articles/globalprotect-one-time-password-based-two-...

 

If this does not help, please post a question either to the General Topics or GlobalProtect discussion areas.

L0 Member

Is there a way to pass the "more information required" MFA enrollment screen and process from Microsoft through the Global Protect client? 

 

Example:

Using the Global Protect with On-Prem NPS Server to Azure MFA

 

User has not enrolled in MFA and connects to the Global Protect client, they get an Invalid username or password, instead of being prompted "Require more information" from Microsoft.

 

 

L0 Member

Can the Palo Alto NGFW use Google Authenticator like our DATTO appliance does for 2FA?

 

Any help would be greatly appreciated as we are wanting to setup 2FA for those that connect remotely uisng the Global Protect VPN client to access our network resources on our LAN

 

Mike

IT Guy

L1 Bithead

Mike, you would need an MFA vendor that supports Radius.

  • 11170 Views
  • 5 comments
  • 7 Likes
Register or Sign-in
Labels
Top Liked Authors