Seamless Soft-Token Authentication from GlobalProtect App

Describes how GlobalProtect integrates the RSA OTP soft-token when signing in.
Software Support
: Starting with GlobalProtect™ app 5.1.
OS support
: Windows operating systems (requires registry key changes)
To simplify the login process and improve the users’ experience, GlobalProtect offers seamless soft-token authentication with a two-factor authentication vendor such as RSA SecurID. The user enters the RSA PIN in the GlobalProtect
Password
field, and GlobalProtect retrieves the passcode from RSA and proceeds with the connection without the user taking the extra step of opening the RSA application.
With this change, users no longer need a two-step process where they are required to first open their software token app and enter their PIN to obtain a passcode, then enter the passcode in their GlobalProtect app in the
Password
field.
Seamless soft-token authentication is supported for all three RSA modes: PinPad Style (PIN integrated with token code), Fob Style (PIN followed by token code) and Pinless mode. For PinPad and Fob Style, the user enters the PIN in the
Password
field and GlobalProtect retrieves the passcode. In Pinless mode, the Password field is grayed out and users enter their username.
  1. Change the registry keys on the client Windows devices to enable seamless soft-token authentication.
    You must change the Windows registry on the clients’ Windows devices before you can enable seamless soft-token authentication. GlobalProtect retrieves this registry entry only once, when the GlobalProtect app initializes.
    1. Open the Windows Registry Editor and select
      HKEY_LOCAL_MACHINE
      SOFTWARE
      PALO Also Networks
      GlobalProtect
      Settings
      .
    2. Change the
      auth-api
      value to
      yes
      .
      Because auth-api is set as
      yes
      in the client machine, you should configure the portal and gateways with RSA-based authentication. No other authentication profile is supported because GlobalProtect will attempt to retrieve the passcode.
      Because the portal and gateway use RSA Authentication, we recommend that you enable cookie-based authentication on gateways. The token that is retrieved for the portal may still be active when GlobalProtect tries to get passcode for the gateway, and authentication may fail because the passcode was already used. Therefore, we suggest that you generate an Authentication Override cookie on the portal and Accept the cookie on the gateway.
  2. Configure the portal and gateway with RSA-based authentication.
  3. Enable cookie-based authentication on the GlobalProtect portal.
    Specifying GlobalProtect to override an existing authentication allows GlobalProtect to overwrite an existing passcode with a newly-created passcode.
    1. Select
      Network
      GlobalProtect
      Portals
      <portal-config>
      ; then select the
      Agent
      tab.
    2. Add
      an Agent config or select an existing one.
    3. Select
      Generate cookie for authentication override
      .
  4. Enable the GlobalProtect gateway to accept cookies for authentication overrides.
    1. Select
      Network
      GlobalProtect
      Gateways
      <gateway>
      and select the
      Agent
      tab.
    2. Select
      Client Settings
      , then select the GlobalProtect client config or add a new one.
    3. Select
      Authentication Override
      ; then, select
      Accept cookie for authentication override
      .
  5. Select
    Network
    GlobalProtect
    Portals
    <portal-config>
    ; then select the
    Authentication
    tab.
  6. Add
    a new client authentication profile or select an existing one; then, select
    Automatically retrieve passcode from SoftToken application
    .

Recommended For You