Supported GlobalProtect Authentication Methods

The following table describes the authentication methods that GlobalProtect supports and provides usage guidelines.
Authentication MethodDescription
Local Authentication
Both the user account credentials and the authentication mechanisms are local to the firewall. This authentication mechanism is not scalable because it requires an account for every GlobalProtect user and is, therefore, advisable for only very small deployments.
External authentication
The user authentication functions are performed by an external LDAP, Kerberos, TACACS+, or RADIUS service (including support for two-factor, token-based authentication mechanisms, such as one-time password (OTP) authentication). To enable external authentication:
  • Create a server profile with settings for access to the external authentication service.
  • Create an authentication profile that refers to the server profile.
  • Specify client authentication in the portal and gateway configurations and optionally specify the OS of the endpoint that will use these settings.
You can use different authentication profiles for each GlobalProtect component. See Set Up External Authentication for instructions. See Remote Access VPN (Authentication Profile) for an example configuration.
If you configure the portal or gateway to authenticate users through Kerberos authentication, users will not have the option to Sign Out of the GlobalProtect app if they authenticate successfully using this authentication method.
If you do not allow the GlobalProtect app to Save User Credentials (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Authentication), users will not have the option to Sign Out of the app if they authenticate successfully using LDAP, TACACS+, or RADIUS authentication.
Client certificate authentication
For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the user before granting access to the system.
  • To authenticate the user, one of the certificate fields, such as the Subject Name field, must identify the username.
  • To authenticate the endpoint, the Subject field of the certificate must identify the device type instead of the username. (With the pre-logon connect methods, the portal or gateway authenticates the endpoint before the user logs in.)
If you configure the portal or gateway to authenticate users through client certificate authentication, users will not have the option to Sign Out of the GlobalProtect app if they authenticate successfully using only a client certificate.
For an agent configuration profile that specifies client certificates, each user receives a client certificate. The mechanism for providing the certificates determines whether a certificate is unique to each client or the same for all clients under that agent configuration:
  • To deploy client certificates that are unique to each user and device, use SCEP. When a user first logs in, the portal requests a certificate from the enterprise’s PKI. The portal obtains a unique certificate and deploys it to the client.
  • To deploy the same client certificate to all users that receive an agent configuration, deploy a certificate that is Local to the firewall.
Use an optional certificate profile to verify the client certificate that a client presents with a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates. You must pre-deploy certificates used in certificate profiles to the endpoints before the users’ initial portal login because the certificate is part of the authentication of the endpoint or user for a new session.
The certificate profile specifies which certificate field contains the username. If the certificate profile specifies Subject in the Username Field, the certificate presented by the client must contain a common-name for the client to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate from the client must contain the corresponding fields, which will be used as the username when the GlobalProtect agent authenticates to the portal or gateway.
GlobalProtect also supports authentication by common access cards (CACs) and smart cards, which rely on a certificate profile. With these cards, the certificate profile must contain the root CA certificate that issued the certificate to the smart card or CAC. If you specify client certificate authentication, you should not configure a client certificate in the portal configuration because the client system provides it when the user connects. For an example of how to configure client certificate authentication, see Remote Access VPN (Certificate Profile).
Two-factor authentication
With two-factor authentication, the portal or gateway uses two mechanisms to authenticate a user, such as a one-time password in addition to AD login credentials. You can enable two-factor authentication on the portal and gateways by configuring a certificate profile and an authentication profile and adding them both to the portal and/or gateway configuration.
You can configure the portal and gateways to use the same authentication methods or use different methods. Regardless, with two-factor authentication, the client must successfully authenticate by the two mechanisms that the component demands before it grants access.
If the certificate profile specifies a Username Field from which GlobalProtect can obtain a username, the external authentication service automatically uses the username to authenticate the user to the external authentication service specified in the authentication profile. For example, if the Username Field in the certificate profile is set to Subject, the value in the common-name field of the certificate is used as the username when the authentication server tries to authenticate the user. If you do not want to force users to authenticate with a username from the certificate, make sure the certificate profile is set to None for the Username Field. See Remote Access VPN with Two-Factor Authentication for an example configuration.
Single Sign-On
(Windows only)
When you enable single sign-on (SSO), the GlobalProtect app uses the user’s Windows login credentials to automatically authenticate and connect to the GlobalProtect portal and gateway. You can also configure the app to wrap third-party credentials to ensure that Windows users can authenticate and connect using a third-party credential provider.
If you enable single sign-on, users running GlobalProtect app 4.1.9 or a later release will not have the option to Sign Out of the app if they authenticate successfully using SSO.

Related Documentation