>
    Enable Two-Factor Authentication Using a Software Token Application
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. Set Up Two-Factor Authentication
    5. Enable Two-Factor Authentication Using a Software Token Application
    Download PDF
    GlobalProtect

    Enable Two-Factor Authentication Using a Software Token Application

    Table of Contents

    Enable Two-Factor Authentication Using a Software Token Application

    Use a software token application for two-factor authentication for GlobalProtect.
    If your organization uses a software token (soft token) application, such as RSA SecurID, to implement two-factor authentication, users are required to first open their software token app and enter their PIN to obtain a passcode, then enter the passcode in their GlobalProtect app in the
    Password
     field. This two-step process complicates the login process.
    To simplify the login process and improve the users’ experience, GlobalProtect offers seamless soft-token authentication. The user enters the RSA PIN in the GlobalProtect
    Password
     field, and GlobalProtect retrieves the passcode from RSA and proceeds with the connection without the user taking the extra step of opening the RSA application.
    This feature is supported for all three RSA modes: PinPad Style (PIN integrated with token code), Fob Style (PIN followed by token code) and Pinless mode. For PinPad and Fob Style, the user enters the PIN in the
    Password
     field and GlobalProtect retrieves the passcode. In Pinless mode, the Password field is grayed out and users enter their username.
    This feature is supported for Windows devices starting with GlobalProtect™ app 5.1.
    1. Change the registry keys on the client Windows devices to enable seamless soft-token authentication.
      You must change the Windows registry on the clients’ Windows devices before you can enable seamless soft-token authentication. GlobalProtect retrieves this registry entry only once, when the GlobalProtect app initializes.
      1. Open the Windows Registry Editor and select
        HKEY_LOCAL_MACHINE
        SOFTWARE
        Palo Alto Networks
        GlobalProtect
        Settings
        .
      2. Change the
        auth-api
         value to
        yes
        .
        Because auth-api is set as
        yes
         in the client machine, you should configure the portal and gateways with RSA-based authentication. No other authentication profile is supported because GlobalProtect will attempt to retrieve the passcode.
        Because the portal and gateway use RSA Authentication, we recommend that you enable cookie-based authentication on gateways. The token that is retrieved for the portal may still be active when GlobalProtect tries to get passcode for the gateway, and authentication may fail because the passcode was already used. Therefore, we suggest that you generate an Authentication Override cookie on the portal and Accept the cookie on the gateway.
    2. Configure the portal and gateway with RSA-based authentication.
    3. Enable cookie-based authentication on the GlobalProtect portal.
      Specifying GlobalProtect to override an existing authentication allows GlobalProtect to overwrite an existing passcode with a newly-created passcode.
      1. Select
        Network
        GlobalProtect
        Portals
        <portal-config>
        ; then select the
        Agent
         tab.
      2. Add
         an Agent config or select an existing one.
      3. Select
        Generate cookie for authentication override
        .
        The authentication cookie includes the following fields:
        • user
          —Username that is used to authenticate the user.
        • domain
          —Domain name of the user.
        • os
          —Application name that is used on the device.
        • hostID
          —Unique ID that is assigned by GlobalProtect to identify the host.
        • gen time
          —Date and time that the authentication cookie was generated.
        • ip
          —IP address of the device that is used to successfully authenticate to GlobalProtect and to obtain the cookie.
    4. Enable the GlobalProtect gateway to accept cookies for authentication overrides.
      1. Select
        Network
        GlobalProtect
        Gateways
        <gateway>
         and select the
        Agent
         tab.
      2. Select
        Client Settings
        , then select the GlobalProtect client config or add a new one.
      3. Select
        Authentication Override
        ; then, select
        Accept cookie for authentication override
        .
        The authentication cookie includes the following fields:
        • user
          —Username that is used to authenticate the user.
        • domain
          —Domain name of the user.
        • os
          —Application name that is used on the device.
        • hostID
          —Unique ID that is assigned by GlobalProtect to identify the host.
        • gen time
          —Date and time that the authentication cookie was generated.
        • ip
          —IP address of the device that is used to successfully authenticate to GlobalProtect and to obtain the cookie.
    5. Select
      Network
      GlobalProtect
      Portals
      <portal-config>
      ; then select the
      Authentication
       tab.
    6. Add
       a new client authentication profile or select an existing one; then, select
      Automatically retrieve passcode from SoftToken application
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.