Remote Access VPN with Two-Factor Authentication
If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can provide two-factor authentication), the end user must authentication through both profiles successfully before gaining access. For portal authentication, this means that certificates must be pre-deployed on the endpoints before their initial portal connection. Additionally, the client certificate presented by a user must match what is defined in the certificate profile.
- If the certificate profile does not specify a username field (Username Field is set to None), the client certificate does not require a username. In this case, the user must provide the username when authenticating against the authentication profile.
- If the certificate profile specifies a username field, the certificate that the user presents must contain a username in the corresponding field. For example, if the certificate profile specifies that the username field is Subject, the certificate presented by the user must contain a value in the common-name field, or else authentication fails. In addition, when the username field is required, the value from the username field of the certificate is automatically populated as the username when the user attempts to enter credentials for authenticating to the authentication profile. If you do not want force users to authenticate with a username from the certificate, do not specify a username field in the certificate profile.
This quick configuration uses the same topology as GlobalProtect VPN for Remote Access. However, in this configuration, users must authenticate against a certificate profile and an authentication profile. For more details on a specific type of two-factor authentication, see the following topics:
Use the following procedure to configure remote VPN access with two-factor authentication.
Interfaces and Zones for GlobalProtect.Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
- Select NetworkInterfacesEthernet. Configure ethernet1/2 as a Layer3 Ethernet interface with IP address 203.0.113.1 and assign it to the l3-untrustSecurity Zone and the default Virtual Router.
- Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
- Select NetworkInterfacesTunnel and Add the tunnel.2 interface. Add the tunnel interface to a new Security Zone called corp-vpn, and then assign it to the default Virtual Router.
- Enable User Identification on the corp-vpn zone.
- Create security policies to enable traffic flow between
the corp-vpn zone and the l3-trustzone,
which enables access to your internal resources.
- Select PoliciesSecurity, and then click Add to create a new rule.
- For this example, you would define the rule with the
- Name (General tab)—VPN Access
- Source Zone (Source tab)—corp-vpn
- Destination Zone (Destination tab)—l3-trust
- Use one of the following methods to obtain a server certificate
for the interface hosting the GlobalProtect portal and gateway:Select DeviceCertificate ManagementCertificates to manage certificates as follows:
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN, gp.acme.com.
- To enable users to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
client certificates to GlobalProtect clients and endpoints.
- Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
- Install certificates in the personal certificate store on the endpoints.
a client certificate profile.
- Select DeviceCertificate ManagementCertificate Profile. Add a new certificate profile, and then enter a profile Name such as GP-client-cert.
- Specify where to obtain the username that will be
used to authenticate the end user:
- From user—If you want the end user to supply a username when authenticating to the service specified in the authentication profile, select None as the Username Field.
- From certificate—If you want to extract the username from the certificate, select Subject as the Username Field. If you use this option, the CN contained in the certificate automatically populates the username field when the user is prompted to log in to the portal/gateway. The user is required to log in using that username.
- In the CA Certificates area, Add the CA certificate that issued the client certificates. Click OK twice.
a server profile.The server profile instructs the firewall on how to connect to the authentication service. Local, RADIUS, Kerberos, SAML, and LDAP authentication methods are supported. This example shows an LDAP authentication profile for authenticating users against the Active Directory.Create the server profile for connecting to the LDAP server (DeviceServer ProfilesLDAP).
Create an authentication profile.Attach the server profile to an authentication profile (Device> Authentication Profile).
a GlobalProtect Gateway.See the topology diagram shown in GlobalProtect VPN for Remote Access.Select NetworkGlobalProtectGateways, and then Add the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certAuthentication Profile—Corp-LDAPTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Configure the GlobalProtect
Portals.Select NetworkGlobalProtectPortals, and then Add the following configuration:
Up Access to the GlobalProtect Portal:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certAuthentication Profile—Corp-LDAP
the GlobalProtect Agent Configurations:Connect Method—On-demand (Manual user initiated connection)External Gateway Address—gp.acme.com
- Set Up Access to the GlobalProtect Portal:
the GlobalProtect App Software.Select DeviceGlobalProtect Client.. Follow the procedure to Host App Updates on the Portal.
- (Optional) Deploy App Settings Transparently.As an alternative to deploying app settings from the portal configuration, you can define settings directly from the Windows registry or global macOS plist. Examples of settings that you can deploy include specifying the portal IP address or enabling GlobalProtect to initiate a VPN tunnel before a user logs in to the endpoint and connects to the GlobalProtect portal. On Windows endpoints only, you can also configure settings using the MSIEXEC installer. For additional information, see Customizable App Settings.
- (Optional) Enable use of the GlobalProtect mobile
app.Purchase and install a GlobalProtect subscription (DeviceLicenses) to enable use of the app.
- Save the GlobalProtect configuration.Click Commit.
Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile) With certificate authentication, the user must present a valid client certificate that identifies them to the GlobalProtect portal or gateway. ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Remote Access VPN (Authentication Profile)
Remote Access VPN (Authentication Profile) In the GlobalProtect VPN for Remote Access , the GlobalProtect portal and gateway are configured on ethernet1/2 , so this ...
Two-Factor Authentication With two-factor authentication, the portal or gateway authenticates users through two mechanisms, such as a one-time password and Active Directory (AD) login credentials. ...
Enable Two-Factor Authentication Using Certificate and Auth...
Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect to require users to authenticate to both a certificate ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
GlobalProtect Portals Authentication Configuration Tab
GlobalProtect Portals Authentication Configuration Tab Network GlobalProtect Portals Authentication Select the Authentication tab to configure the various GlobalProtect™ portal settings: An SSL/TLS service profile that ...
Client Certificate Authentication
Client Certificate Authentication For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the ...
Enable Two-Factor Authentication Using Smart Cards
Enable Two-Factor Authentication Using Smart Cards If you want to enable your end users to authenticate using a smart card or common access card (CAC), ...