GlobalProtect: One-Time Password-based Two Factor Authentication -- Always-On

Require OTP-based authentication in Always-On mode

When GlobalProtect is configured in Aways-On mode, the GlobalProtect agent automatically connects to
GlobalProtect as soon as the user logs in to the endpoint. In an Always-On mode, the GlobalProtect agent
connects to the portal when the user manually selects Connect or Rediscover Network options or periodically
at a configured interval (default 24 hours). At all other times, such as sleep / wake-up or log off / log in, the
GlobalProtect agent talks to the gateway only.

Use case 1: Require OTP authentication for GlobalProtect in Always-On mode using RADIUS

Requiring OTP authentication for GlobalProtect in Always-on mode is even more painful for an enduser.
Enduser would get prompted for OTP every time GlobalProtect attempts to connect, which is every time
there is a sleep / wake-up or network change or log off / log in. Using GlobalProtect's Authentication Override
feature minimizes the number of times user gets prompted for OTP and provides a better user experience.
Recommended configuration for this use case:

Option 1:

• Require OTP authentication for both portal and gateway
• In the portal,
  • Set Save User Credentials to “Yes”
  • Enable authentication override and enable both Generate cookie for authentication override and accept cookie for authentication override.
  • Set the cookie lifetime to 'N' hours. 'N' hours is how long the user will not be prompted for credentials again. Choose 'N' based on the user experience that you want to provide. Typically 24 hours could be a good value for cookie lifetime.
  • Consideration:
    • In case the RADIUS / OTP server is configured to require Username & Password and OTP all at once without having to wait for a challenge, then in the Portal
      • Set Save User Credentials to "Save Username only" and
      • Under Components that Require Dynamic Passwords, enable those components of GlobalProtect that require OTP. For example, enable the checkboxes for Portal and External gateways-auto discovery if portal and auto-discovery gateways are the only components that require OTP.

   Portal – Agent client configuration

• In the gateway,
  • Enable authentication override and enable both Generate cookie for authentication override and accept cookie for authentication override.
  • Set the cookie lifetime to 'N' hours. Typically 24 hours could be a good value for cookie lifetime.
  • Make sure to use the same certificate to encrypt / decrypt cookies in both portal and gateway.
  • Note: Using a dedicated certificate for encryption and decryption of authentication cookie gives flexibility if there is ever a need to revoke the certificate used for Authentication Override.

   Gateway OTP configuration

With this GlobalProtect configuration and with the OTP server configured to require the user to provide Username / Password first, and then require OTP only after being challenged, the end user experience would be:

Option 2:

• Require OTP for the Portal and Manual only gateways
• Require Certificate and Active Directory credentials for Auto Discovery gateways
• In the portal,
  • Set Save User Credentials to “Yes”
  • Enable authentication override and enable both Generate cookie for authentication override and accept cookie for authentication override.
  • Set the cookie lifetime to 'N' days. 'N' days is how long user will not be prompted for credentials again. Choose 'N' based on the user experience that you want to provide. Typically 14 days could be a good value for cookie lifetime.
  • Consideration:
    • In case the RADIUS / OTP server is configured to require Username & Password and OTP all at once without having to wait for a challenge, then in the Portal
      • Set Save User Credentials to "Save Username only" and
      • Under Components that Require Dynamic Passwords, enable those components of GlobalProtect that require OTP. For example, enable the checkboxes for Portal and External gateways-auto discovery if portal and auto-discovery gateways are the only components that require OTP.
    • If the client certificate required for authentication to auto discovery gateways has not been distributed yet, consider using SCEP.
      • This SCEP issued certificate can be used as client certificate for auto discovery gateways.
      • Set the SCEP Certificate Renewal Period to 10 days.

   Portal – Agent client configuration

   Certificate Renewal Period for SCEP

• In the auto discovery gateways,
  • Require both Certificate and AD / LDAP authentication
  • Enable authentication override and enable both Generate cookie for authentication override and accept cookie for authentication override.
  • Set the cookie lifetime to 'N' hours. Typically 24 hours could be a good value for cookie lifetime.
  • Make sure to use the same certificate to encrypt / decrypt cookies in both portal and gateway.

   Gateway OTP configuration

• In the manual only gateways,
  • Require OTP Authentication
  • Do not enable Generate cookie for authentication override and do not enable Accept cookie for authentication override.

 With this GlobalProtect configuration and with OTP server configured to require the user to provide Username / Password first and then require OTP only after being challenged, the end user experience would be:

Use case 2: Require OTP authentication for GlobalProtect in On-Demand mode using SAML

Using SAML is another way of achieving OTP based authentication for GlobalProtect. For more details on
SAML support in GlobalProtect and the recommended configurations, please check here: GlobalProtect: One Time Password based Two Factor Authentication

While RADIUS or SAML support in GlobalProtect allows you to achieve OTP based authentication at the time of connecting to GlobalProtect, Multi-Factor Authentication (MFA) provides a way to require OTP at the time of accessing specific resources. More on this in the next article.