GlobalProtect: One-Time Password-based Two Factor Authentication

By Sivasekharan Rajasekaran

@srajasekar

 

Background

 

Enterprises require stronger authentication methods like One Time Passwords (OTPs) before allowing users to access corporate resources. By requiring OTP based authentication, enterprises are able to prevents attackers from using stolen user credentials and getting unauthorized access. However, any deployment that requires OTP gets push back from endusers as they consider OTPs as a painful user experience.

 

Objective

 

GlobalProtect supports OTP based authentication and also provides ways to keep the user experience better. The objective of this document is to provide enterprise administrators with information about different OTP authentication workflows in GlobalProtect and help them decide on the GlobalProtect authentication scenario that would meet their security and compliance requirements and at the same time keep the user experience easy and simple.

 

OTP Authentication for GlobalProtect

 

GlobalProtect supports OTP based authentication via RADIUS or SAML and this allows GlobalProtect to be completely agnostic to OTP vendor. GlobalProtect can work with any OTP vendor as long as they enable it using RADIUS or SAML. Depending on how OTP service is configured, users would authenticate using one of these 2 work flows:

1. User provides Username and Password first and then only after challenged provides the OTP. OTP could be either push to approve or SMS or token code.
2. User provides Username, OTP and/or Password all at once without waiting for a challenge

GlobalProtect supports both these work flows.

For a sample RADIUS configuration on Duo to achieve these 2 work flows refer "Duo Configuration Example" at the end of the section.

Require OTP based authentication in Always-On mode – Refer here

 

Require OTP based authentication in On-Demand mode

 

When GlobalProtect is deployed in On-Demand mode, the user will manually connect with GlobalProtect on an as-needed basis. This mode is the typical secure remote access use case where remote users set up VPN tunnel to get access to corporate data center resources and disconnect VPN when they no longer need access to an internal data center network.

 

Use case 1: Require OTP authentication for GlobalProtect in On-Demand mode using RADIUS

 

In an On-Demand connect method, GlobalProtect agent always authenticates to the portal first and then the gateway every time the user initiates the connection to GlobalProtect. Requiring OTP authentication on both portal and gateway would mean that user would get prompted for OTP twice (once by the portal and then by the gateway). However, GlobalProtect (starting with PAN OS 7.1 and GlobalProtect 3.1) offers Authentication Override, a feature that minimizes the number of times a user gets prompted for authentication. For more details on Authentication Override, refer: Enhanced Two-Factor Authentication

Recommended Configuration:

• Require OTP authentication for both portal and gateway
• In the portal,
  • Set Save User Credentials to “Save Username Only”
  • Enable authentication override and enable both Generate cookie for authentication override and Accept cookie for authentication override.
  • Set the cookie lifetime to 'N' hours. 'N' hours is how long user will not be prompted for credentials again. Choose 'N' based on the user experience that you want to provide.
• In the gateway,
  • Enable authentication override and enable both Generate cookie for authentication override and Accept cookie for authentication override.
  • Set the cookie lifetime to 'N' hours.
  • Make sure to use the same certificate to encrypt / decrypt cookies in both portal and gateway.
  • Note: Using a dedicated certificate for encryption and decryption of authentication cookie gives flexibility if there is ever a need to revoke the certificate used for Authentication Override.

Configuration on the Portal Configuration on the Gateway

 

With this configuration, when the end user manually initiates connection to GlobalProtect, the end user experience would be:

1. 
   
   work flow – 1
2. 
   
   work flow – 2

 

 

 

Use case 2: Require OTP authentication for GlobalProtect in On-Demand mode using SAML

 

Starting with PAN OS 8.0 and GlobalProtect 4.0, GlobalProtect supports SAML authentication. When using SAML, GlobalProtect agent opens up a web-view / embedded browser to serve the login page from SAML IdP and allow the user to complete the authentication. Because it is a different browser (embedded browser),

Note: GlobalProtect App 5.2+ and Pan-OS 8.1.17,9.0.11,9.1.6,10.0+ and later releases support the ability to launch Default System Browser instead of embedded browser when using SAML authentication. More information can be found here.

1. 1. • SAML cookie obtained by authenticating to GlobalProtect can't be utilized to provide SSO to other SAML enabled applications and vice versa.
      • SAML cookie obtained by authenticating to GlobalProtect does not persist across reboots and logouts.

To achieve transparent authentication even when using OTP via SAML, recommended configuration is:

1. 1. • Require SAML authentication for both portal and the gateway
      • IdP configuration decides how long the SAML cookie is valid. As long as the SAML cookie persists and it is valid, user experiences transparent authentication to GlobalProtect.

 

For information on how to configure SAML authentication for GlobalProtect using Okta, refer here.

 

To provide transparent authentication across reboots and logouts use Authentication Override Feature of GlobalProtect

 

1. 1. • In the portal,
        • Set Save User Credentials to “Save Username Only”
        • Enable authentication override and enable both Generate cookie for authentication override and Accept cookie for authentication override.
        • Set the cookie lifetime to 'N' hours. 'N' hours is how long user will not be prompted for credentials again. Choose 'N' based on the user experience that you want to provide.
      • In the gateway,
        • Enable authentication override and enable both Generate cookie for authentication override and Accept cookie for authentication override.
        • Set the cookie lifetime to 'N' hours.
        • Make sure to use the same certificate to encrypt / decrypt cookies in both portal and gateway.
        • Note: Using a dedicated certificate for encryption and decryption of authentication cookie gives flexibility if there is ever a need to revoke the certificate used for Authentication Override.

 

For recommendations for OTP authentication in GlobalProtect Always-On mode, refer to the next part of this series here.

 

Duo Configuration Example 

The  sample configuration for Duo to achieve the 2 work flows:

For more detailed information on how to set up Duo to provide OTP authentication for GlobalProtect, refer here.

Work Flow 1: User provides Username and Password first and then only after challenged provides the OTP. OTP could be either push to approve or SMS or token code.

Work Flow 2: User provides Username, OTP and/or Password all at once without waiting for a challenge

[ad_client]

host=<AD-Server>

service_account_username=<administrator>

service_account_password=<administrator’s password>

search_dn=DC=acme,DC=com

 

[duo_only_client]

[radius_server_challenge]

ikey=<duo-integration-key>

skey=<duo-security-key>

api_host=<duo-host-name>

radius_ip_1=<firewall-mgmt-ip>

radius_secret_1=<radius-secret>

client=ad_client

failmode=safe

port=1812