Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a user requests access, the portal or gateway prompts the user to enter an OTP. The authentication service sends the OTP as a token to the user’s RSA device.
Setting up a two-factor authentication scheme is similar to setting up other types of authentication and requires you to configure:
  • A server profile (usually for a RADIUS service for two-factor authentication) assigned to an authentication profile.
  • A client authentication profile that includes the authentication profile for the service that these components use.
By default, the agent supplies the same credentials it used to log in to the portal and to the gateway. In the case of OTP authentication, this behavior will cause the authentication to initially fail on the gateway and, because of the delay this causes in prompting the user for a login, the user’s OTP may expire. To prevent this, you must configure the portals and gateways that prompt for the OTP instead of using the same credentials on a per-agent configuration basis.
You can also reduce the frequency in which users are prompted for OTPs by configuring an authentication override. This enables the portals and gateways to generate and accept a secure encrypted cookie to authenticate the user for a specified amount of time. The portals and/or gateways will not require a new OTP until the cookie expires thus reducing the number of times users must provide an OTP.
  1. After you have configured the back-end RADIUS service to generate tokens for the OTPs and ensured users have any necessary devices (such as a hardware token), set up a RADIUS server to interact with the firewall.
    For specific instructions, refer to the documentation for your RADIUS server. In most cases, you need to set up an authentication agent and a client configuration on the RADIUS server to enable communication between the firewall and the RADIUS server. You also define the shared secret to use for encrypting sessions between the firewall and the RADIUS server.
  2. On each firewall that hosts the gateways and/or portal, create a RADIUS server profile. (For a small deployment, one firewall can host the portal and gateways.)
    1. Select
      Device
      Server Profiles
      RADIUS
      .
    2. Add
      a new profile.
    3. Enter a
      Name
      for this RADIUS profile.
    4. In the
      Servers
      area,
      Add
      a RADIUS instance and enter:
      • A descriptive
        Name
        to identify this RADIUS server
      • The
        RADIUS Server
        IP address
      • The shared
        Secret
        for encrypting sessions between the firewall and the RADIUS server
      • The
        Port
        number on which the RADIUS server listens for authentication requests (default 1812)
    5. Click
      OK
      to save the profile.
  3. Create an authentication profile.
    1. Select
      Device
      Authentication Profile
      .
    2. Add
      a new profile.
    3. Enter a
      Name
      for the profile. The name cannot contain spaces.
    4. Select
      RADIUS
      as the
      Type
      of authentication service.
    5. Select the
      Server Profile
      you created for accessing your RADIUS server.
    6. Enter the
      User Domain
      name. The firewall uses this value for matching authenticating users against Allow List entries and for User-ID group mapping.
    7. Select a
      Username Modifier
      to modify the username/domain format expected by the RADIUS server.
    8. Click
      OK
      to save the authentication profile.
  4. Assign the authentication profile to the GlobalProtect gateway(s) and/or portal.
    You can configure multiple Client Authentication configurations for the portal and gateways. For each Client Authentication configuration you can specify the authentication profile to apply to endpoints of a specific OS.
    This step describes only how to add the authentication profile to the gateway or portal configuration. For additional details on setting up these components, see GlobalProtect Gateways and GlobalProtect Portals.
    1. Select
      Network
      GlobalProtect
      Gateways
      and an existing gateway configuration by name (or
      Add
      one). If you are adding a new gateway, specify its name, location, and network parameters.
    2. On the
      Authentication
      tab, select an SSL/TLS service profile or
      Add
      a new profile.
    3. Add
      a Client Authentication configuration and enter its
      Name
      .
    4. Select the endpoint OS to which this configuration applies.
    5. Select the
      Authentication Profile
      you created in Create an authentication profile.
    6. (
      Optional
      ) Enter a custom authentication message.
    7. Click
      OK
      to save the configuration.
  5. (
    Optional
    ) Configure the portal or gateways to prompt for a username and password or only a password each time the user logs in. Saving the password is not supported with two-factor authentication using OTPs because the user must enter a dynamic password each time they log in.
    This step describes only how to configure the password setting in a portal agent configuration. For additional details, see Customize the GlobalProtect Agent.
    1. Select
      Network
      GlobalProtect
      Portals
      and select an existing portal configuration.
    2. Select
      Agent
      .
    3. Select an existing agent configuration or
      Add
      one.
    4. Set
      Save User Credentials
      to
      Save Username Only
      or
      No
      . This setting enables GlobalProtect to prompt for dynamic passwords for each component you select in the following step.
    5. Click
      OK
      twice to save the configuration.
  6. Select the GlobalProtect components—portal and types of gateways—that prompt for dynamic passwords, such as OTPs, instead of using saved credentials.
    1. Select
      Network
      GlobalProtect
      Portals
      and select an existing portal configuration.
    2. Select
      Agent
      .
    3. Select an existing agent configuration or
      Add
      one.
    4. Select the
      Authentication
      tab, and then select the
      Components that Require Dynamic Passwords (Two-Factor Authentication)
      . When selected, the portal and/or types of gateways prompt for OTPs.
      Do not select the
      Components that Require Dynamic Passwords (Two-Factor Authentication)
      option for any components that use SAML authentication.
    5. Click
      OK
      twice to save the configuration.
  7. If single sign-on (SSO) is enabled, disable it. The agent configuration specifies RADIUS as the authentication service so Kerberos SSO is not supported.
    This step describes only how to disable SSO. For more details, see Define the GlobalProtect Agent Configurations.
    1. Select
      Network
      GlobalProtect
      Portals
      and select the portal configuration.
    2. Select
      Agent
      and then select the agent configuration (or
      Add
      one).
    3. Select the
      App
      tab.
    4. Set
      Use Single Sign-on
      to
      No
      .
    5. Click
      OK
      twice to save the configuration.
  8. (
    Optional
    ) To minimize the number of times a user must provide credentials, configure an authentication override.
    By default, the portal or gateways authenticate the user with an authentication profile and optional certificate profile. With authentication override, the portal or gateway authenticates the user with an encrypted cookie that it has deployed to the endpoint. While the cookie is valid, the user can log in without entering regular credentials or an OTP. For more information, see Cookie Authentication on the Portal or Gateway.
    If you need to immediately block access to a device whose cookie has not yet expired (for example, if the device is lost or stolen), you can Block Device Access by adding the device to a block list.
    1. Select
      Network
      GlobalProtect
      Gateways
      or
      Portals
      and select the configuration (or
      Add
      one).
    2. Select
      Agent
      Client Settings
      (on the gateway) or
      Agent
      (on the portal) and then select the configuration (or
      Add
      one).
    3. In the
      Authentication Override
      area, configure the following:
      • Generate cookie for authentication override
        —Enable the portal or gateway to generate encrypted, endpoint-specific cookies. After users successfully authenticate, the portal or gateway issue the authentication cookie to the endpoint.
      • Accept cookie for authentication override
        —Select the check box to instruct the portal or gateway to authenticate the user through a valid, encrypted cookie. When the endpoint presents a valid cookie, the portal or gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user.
        The GlobalProtect app must know the username of the connecting user in order to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them to the portal or gateway for user authentication.
        (
        Windows only
        ) If you set the Use Single Sign-On option to
        Yes
        (SSO is enabled) in the portal agent configuration (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>.
        App
        ), the GlobalProtect app uses the Windows username to retrieve the local authentication cookie for the user. If you set the
        Use Single Sign-On
        option to
        No
        (SSO is disabled), you must enable the GlobalProtect app to Save User Credentials in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
        (
        Mac only
        ) Because Mac endpoints do not support single sign-on, you must enable the GlobalProtect app to
        Save User Credentials
        in order for the app to retrieve the authentication cookie for the user. Set the
        Save User Credentials
        option to
        Yes
        to save both the username and password or
        Save Username Only
        to save only the username.
      • Cookie Lifetime
        —Specify the hours, days, or weeks that the cookie is valid. Typical lifetime is 24 hours for gateways—which protect sensitive information—or 15 days for the portal. The range for hours is 1–72; for weeks, 1–52; and for days, 1–365. After the cookie expires on either the portal or gateway (whichever occurs first), the portal or gateway prompts the user to authenticate and subsequently encrypts a new cookie to send to the endpoint.
      • Certificate to Encrypt/Decrypt Cookie
        —Select the RSA certificate to use to encrypt and decrypt the cookie. You must use the same certificate on the portal and gateways.
        As a best practice, configure the RSA certificate to use the strongest digest algorithm that your network supports.
        The portal and gateways use the RSA encrypt padding scheme PKCS#1 V1.5 to generate the cookie (using the public key of the certificate) and decrypt the cookie (using the private key of the certificate).
    4. Click
      OK
      twice to save the configuration.
  9. Commit the configuration.
    Click
    Commit
    .
  10. Verify the configuration.
    The gateway and portal must be configured before you take his step. For details on setting up these components, see GlobalProtect Gateways and GlobalProtect Portals.
    From an endpoint running the GlobalProtect agent, try to connect to a gateway or portal on which you enabled OTP authentication. You should see two prompts similar to the following:
    The first prompt requests a PIN (either a user- or system-generated PIN):
    user_defined_PIN.png
    The second prompt requests your token or OTP:
    RSA_token.png

Related Documentation