Remote Access VPN with Two-Factor Authentication

If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can provide two-factor authentication), the end user must succeed at authentication through both profiles before gaining access. For portal authentication, this means that certificates must be pre-deployed to the end clients before their initial portal connection. Additionally, the client certificate presented by a client must match what is defined in the certificate profile.
  • If the certificate profile does not specify a username field (that is, the Username Field it is set to None), the client certificate does not need to have a username. In this case, the client must provide the username when authenticating against the authentication profile.
  • If the certificate profile specifies a username field, the certificate that the client presents must contain a username in the corresponding field. For example, if the certificate profile specifies that the username field is Subject, the certificate presented by the client must contain a value in the common-name field, or else the authentication fails. In addition, when the username field is required, the value from the username field of the certificate is automatically populated as the username when the user attempts to enter credentials for authenticating to the authentication profile. If you do not want force users to authenticate with a username from the certificate, do not specify a username field in the certificate profile.
gp-multi-factor-auth.png
This quick configuration uses the same topology as GlobalProtect VPN for Remote Access. However, in this configuration the clients must authenticate against a certificate profile and an authentication profile. For more details on a specific type of two-factor authentication, see the following topics:
Use the following procedure to configure VPN Remote Access with Two-Factor Authentication.
  1. Create Interfaces and Zones for GlobalProtect.
    Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
    • Select NetworkInterfacesEthernet and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 203.0.113.1 and assign it to the l3-untrust security zone and the default virtual router.
    • Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
    • Select NetworkInterfacesTunnel and add the tunnel.2 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
  2. Create security policy to enable traffic flow between the corp-vpn zone and the l3-trust zone to enable access to your internal resources.
    1. Select PoliciesSecurity and then click Add to add a new rule.
    2. For this example, you would define the rule with the following settings:
      • Name—VPN Access
      • Source Zone—corp-vpn
      • Destination Zone—l3-trust
      vpn-policy-example.png
  3. Obtain a server certificate for the interface hosting the GlobalProtect portal and gateway using one of the following methods:
    Select DeviceCertificate ManagementCertificates to manage certificates as follows:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN, gp.acme.com.
    • To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
  4. Issue client certificates to GlobalProtect clients and endpoints.
    1. Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
    2. Install certificates in the personal certificate store on the endpoints.
  5. Create a client certificate profile.
    1. Select DeviceCertificate ManagementCertificate Profile, Add and enter a profile Name such as GP-client-cert.
    2. Specify where to get the username that will be used to authenticate the end user:
      • From user—If you want the end user to supply a username when authenticating to the service specified in the authentication profile, select None as the Username Field.
      • From certificate—If you want to extract the username from the certificate, select Subject as the Username Field. If you use this option, the CN contained in the certificate will automatically populated the username field when the user is prompted to login to the portal/gateway and the user will be required to log in using that username.
    3. In the CA Certificates section, Add and then select the CA Certificate that issued the client certificates, and click OK twice.
  6. Create a server profile.
    The server profile instructs the firewall how to connect to the authentication service. Local, RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example shows an LDAP authentication profile for authenticating users against the Active Directory.
    Create the server profile for connecting to the LDAP server (DeviceServer ProfilesLDAP).
    server-profile-examle.png
  7. (Optional) Create an authentication profile.
    Attach the server profile to an authentication profile (Device> Authentication Profile).
    authentication-profile-example.png
  8. Configure a GlobalProtect Gateway.
    See the topology diagram shown in GlobalProtect VPN for Remote Access.
    Select NetworkGlobalProtectGateways and add the following configuration:
    Interfaceethernet1/2
    IP Address203.0.113.1
    Server CertificateGP-server-cert.pem issued by GoDaddy
    Certificate ProfileGP-client-cert
    Authentication ProfileCorp-LDAP
    Tunnel Interfacetunnel.2
    IP Pool10.31.32.3 - 10.31.32.118
  9. Configure the GlobalProtect Portals.
    Select NetworkGlobalProtectPortals and add the following configuration:
    1. Set Up Access to the GlobalProtect Portal:
      Interfaceethernet1/2
      IP Address203.0.113.1
      Server CertificateGP-server-cert.pem issued by GoDaddy
      Certificate ProfileGP-client-cert
      Authentication ProfileCorp-LDAP
    2. Define the GlobalProtect Agent Configurations:
      Connect MethodOn-demand (Manual user initiated connection)
      External Gateway Addressgp.acme.com
  10. Deploy the GlobalProtect Agent Software.
    Select DeviceGlobalProtect Client.
    In this example, use the procedure to Host Agent Updates on the Portal.
  11. (Optional) Deploy Agent Settings Transparently.
    As an alternative to deploying agent settings from the portal configuration, you can define settings directly from the Windows registry or global MAC plist. Examples of settings that you can deploy include specifying the portal IP address or enabling GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal. On Windows clients only, you can also configure settings using the MSIEXEC installer. For additional information, see Customizable Agent Settings.
  12. (Optional) Enable use of the GlobalProtect mobile app.
    Purchase and install a GlobalProtect subscription (DeviceLicenses) to enable use of the app.
  13. Save the GlobalProtect configuration.
    Click Commit.

Related Documentation