Supported GlobalProtect Authentication Methods
The following table describes the authentication methods that GlobalProtect supports and provides usage guidelines.
Both the user account credentials and the authentication mechanisms are local to the firewall. This authentication mechanism is not scalable because it requires an account for every GlobalProtect user and is, therefore, advisable for only very small deployments.
The user authentication functions are performed by an external LDAP, Kerberos, TACACS+, or RADIUS service (including support for two-factor, token-based authentication mechanisms, such as one-time password (OTP) authentication). To enable external authentication:
You can use different authentication profiles for each GlobalProtect component. See Set Up External Authentication for instructions. See Remote Access VPN (Authentication Profile) for an example configuration.
If you configure the portal or gateway to authenticate users through Kerberos authentication, users will not have the option to Sign Out of the GlobalProtect app if they authenticate successfully using this authentication method.
If you do not allow the GlobalProtect app to Save User Credentials (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Authentication), users will not have the option to Sign Out of the app if they authenticate successfully using LDAP, TACACS+, or RADIUS authentication.
Client certificate authentication
For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the user before granting access to the system.
If you configure the portal or gateway to authenticate users through client certificate authentication, users will not have the option to Sign Out of the GlobalProtect app if they authenticate successfully using only a client certificate.
For an agent configuration profile that specifies client certificates, each user receives a client certificate. The mechanism for providing the certificates determines whether a certificate is unique to each client or the same for all clients under that agent configuration:
Use an optional certificate profile to verify the client certificate that a client presents with a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates. You must pre-deploy certificates used in certificate profiles to the endpoints before the users’ initial portal login because the certificate is part of the authentication of the endpoint or user for a new session.
The certificate profile specifies which certificate field contains the username. If the certificate profile specifies Subject in the Username Field, the certificate presented by the client must contain a common-name for the client to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate from the client must contain the corresponding fields, which will be used as the username when the GlobalProtect agent authenticates to the portal or gateway.
GlobalProtect also supports authentication by common access cards (CACs) and smart cards, which rely on a certificate profile. With these cards, the certificate profile must contain the root CA certificate that issued the certificate to the smart card or CAC. If you specify client certificate authentication, you should not configure a client certificate in the portal configuration because the client system provides it when the user connects. For an example of how to configure client certificate authentication, see Remote Access VPN (Certificate Profile).
With two-factor authentication, the portal or gateway uses two mechanisms to authenticate a user, such as a one-time password in addition to AD login credentials. You can enable two-factor authentication on the portal and gateways by configuring a certificate profile and an authentication profile and adding them both to the portal and/or gateway configuration.
You can configure the portal and gateways to use the same authentication methods or use different methods. Regardless, with two-factor authentication, the client must successfully authenticate by the two mechanisms that the component demands before it grants access.
If the certificate profile specifies a Username Field from which GlobalProtect can obtain a username, the external authentication service automatically uses the username to authenticate the user to the external authentication service specified in the authentication profile. For example, if the Username Field in the certificate profile is set to Subject, the value in the common-name field of the certificate is used as the username when the authentication server tries to authenticate the user. If you do not want to force users to authenticate with a username from the certificate, make sure the certificate profile is set to None for the Username Field. See Remote Access VPN with Two-Factor Authentication for an example configuration.
When you enable single sign-on (SSO), the GlobalProtect app uses the user’s Windows login credentials to automatically authenticate and connect to the GlobalProtect portal and gateway. You can also configure the app to wrap third-party credentials to ensure that Windows users can authenticate and connect using a third-party credential provider.
If you enable single sign-on, users running GlobalProtect app 4.1.9 or a later release will not have the option to Sign Out of the app if they authenticate successfully using SSO.
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Set Up GlobalProtect User Authentication
Set Up GlobalProtect User Authentication The GlobalProtect portal and gateway must authenticate the end-user before it allows access to GlobalProtect resources. You must configure authentication ...
Network > GlobalProtect > Portals
Network > GlobalProtect > Portals Select Network > GlobalProtect > Portals to set up and manage a GlobalProtect™ portal. The portal provides the management functions ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...
Define the GlobalProtect Client Authentication Configuratio...
Define the GlobalProtect Client Authentication Configurations Each GlobalProtect client authentication configuration specifies the settings that enable the user to authenticate with the GlobalProtect portal. You ...
Set Up External Authentication
Set Up External Authentication The following workflow describes how to set up the GlobalProtect portal and gateways to use an external authentication service. The supported ...
Enable Two-Factor Authentication Using One-Time Passwords (...
Enable Two-Factor Authentication Using One-Time Passwords (OTPs) Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a ...