Hardware reference guide
GlobalProtect Administrator’s Guide 25
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication
Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
On the firewall, the process for setting up access to a two-factor authentication service is similar to setting up
any other type of authentication: create a server profile (usually to a RADIUS server), add the server profile to
an authentication profile, and then reference that authentication profile in the configuration for the device that
will be enforcing the authentication—in this case, the GlobalProtect portal and/or gateway.
By default, the agent will supply the same credentials it used to log in to the portal and to the gateway. In the
case of OTP authentication, this behavior will cause the authentication to initially fail on the gateway and,
because of the delay this causes in prompting the user for a login, the user’s OTP may expire. To prevent this,
the portal allows for modification of this behavior on a per-client configuration basis—either by allowing the
portal to authenticate using an encrypted cookie or by preventing the agent from using the same credentials it
used for the portal on the gateway. Both of these options solve this problem by enabling the gateway to
immediately prompt for the appropriate credentials.
Step 3 Create a client certificate profile.
Note If you setting up the portal and/or
gateway for two-factor authentication, if
the client certificate contains a username
field, the username value from the
certificate will be used as the username
when authenticating the user to your
external authentication service. This
ensures that the user who is logging is in
is actually the user to whom the certificate
was issued.
1. Select
Device > Certificates > Certificate Management >
Certificate Profile
and click Add and enter a profile Name.
2. Select a value for the
Username Field:
• If you are deploying the client certificate from the portal,
leave this field set to
None.
• If you are setting up a certificate profile for use with
pre-logon, leave the field set to
None.
• If you are using the client certificate to authenticate individual
users (including smart card users), select the certificate field
that will contain the user’s identity information.
3. In the
CA Certificates field, click Add, select the Trusted Root
CA certificate you just imported and then click
OK.
Step 4 (Optional) Issue client certificates to
GlobalProtect users/machines.
1. Use your enterprise PKI or a public CA to issue a unique client
certificate to each GlobalProtect user.
2. Install certificates in the personal certificate store on the client
systems.
Step 5 Save the GlobalProtect configuration. Click
Commit.
Enable OTP Support
Step 1 Set up your RADIUS server to interact
with the firewall.
This procedure assumes that your
RADIUS service is already configured for
OTP or token-based authentication and
that necessary devices (such as hardware
tokens) have been deployed to users.
For specific instructions, refer to the documentation for your
RADIUS server. In most cases, you will need to set up an
authentication agent and a client configuration on the RADIUS
server to enable communication between the firewall and the
RADIUS server. You will also define the shared secret that will be
used to encrypt sessions between the firewall and the RADIUS
server.
Enable Two-Factor Authentication (Continued)