![]() ![]() Lastly, when testing with a Windows client, make sure that the host firewall is allowing UDP port 4501 inbound.Policies > Authentication > Add Authentication Rule As shown below, any user in the trust or gp zone that generates traffic destined to a specific server in the untrust zone will be prompted to authenticate, regardless of whether they are a verified user or not.In the example below, that is what I am using NOTE: If you need a resource for testing, there are plenty of test SSH servers available publicly.Navigate to Policies > Authentication > Add to create an authentication rule.Set the Authentication Profile to the MFA profile that was previously created.Set the Authentication Method to web-form.Navigate to Objects > Authentication > Add to create a new Authentication Enforcement.Set Trusted MFA Gateways to the IP address referenced in your Captive Portal along with port 6082Ĭonfig App Tab App to Configurations Parameters.Set Enable Inbound Authentication Prompts from MFA Prompts (UDP) to Yes.Set Connect Method to User-logon (Always On).Navigate to Network > GlobalProtect > Portals > select the previously configured portal > Agent > select the previously configured config > App > and change the following App Configurations parameters.In my case, its the IP address of my trust interfaceĬaptive Portal window to Enable Captive Portal.Set the Redirect Host to an IP address of an interface on the firewall.Select the SSL/TLS Service Profile and Authentication Profile that were previously created.Navigate to Device > User Identification > Captive Portal and click on the gear icon.On the Advanced tab, select the user group previously created to add to the Allow List.Add the Multi-Factor Authentication Server Profile that was previously created as part of your DUO setup.Check the Enable Additional Authentication Factors box.Enter a Login Attribute of sAMAccountNameĪuthentication Profile to Set User Domain.Navigate to Device > Authentication Profile > Add to create a new profile that consists of the LDAP and DUO Server Profiles that were previously created. ![]() Navigate to Device > Certificate Management > SSL/TLS Service Profile > Add to create a profile that references the root CA created previously.You have already followed the previous articles in this seriesĪlthough this capability can be configured without GlobalProtect for HTTP applications, we are going to focus on non-HTTP applications to highlight the GlobalProtect app's role in the authentication prompt process.I guess we can get it where anyone can log on, but then would have to authenticate via a FW policy, but want to do it before they log onto the VPN.NOTE: This article assumes the following: I don't know what I'm doing wrong and all the MFA documentation appears to be within a policy and not just authenticating to be on the network. ![]() I've either been failing, or getting on the VPN, albeit a slow response time and multiple DUO prompts. I've tried moving it around to be on the gateway and portal, just the gateway, just the portal, etc. I've set it up with one Radius profile with DUO as the second factor. This should connect the user to the VPN right after. The user should point to the portal/gateway, receive a username/password prompt, authenticate via Radius, then receive a text message from DUO (or call) and accept. I'm trying to authenticate to the GlobalProtect gateway or portal via Radius (which is tied back to AD) then to DUO for MFA. I've been looking up and down and can't seem to find a solution.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |