Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yuri_Malkov
Explorer

Best Way to Switch From an Existing MFA to Another

Hi there,

We currently have MFA on our Mobile Access VPN and we have a SmartEndPoint for package management. We need to change the MFA solution we use for another and make this switch as transparently for the user as possible.

Another post on this forum talked about the "Multiple Authentication" feature in the "Mobile Access" settings, which dispays to the VPN user both Authentication servers. The customer then must select which one to use : this is not an option as the switch from an MFA to another needs to be made transparently for the users.

1. Is there a way to authenticate some users against one MFA and some others to another one ? On Palo this is easily done using the Authentication Profile Allow List feature so there must be the same here I guess.

2. If not is there any way to create two different URLs for Mobile VPN (on the same firewall) and each one would run a different MFA ? ie : vpn1.url.com using the former MFA and vpn2.url.com using the new MFA ?

3. During our tests of the new MFA solution, we locked the engineer's account on the former MFA. Is there a reason it was locked down on the former MFA solution ? Are several MFA RADIUS servers actually supported on the same SMS ? I understand the MFA RADIUS configuration needs an "External User Profile" : only one "generic" profile can be created and it is currently set on the former MFA solution : does it has something to do with the fact the account was locked down ?

 

Thank you for your answers.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Pretty sure the only way to do this is to locally define the relevant users and define it to use the other authentication server there.

The only way to get two different URLs for MAB on the same gateway would be to use VSX.
Not sure you could get different generic profiles without also using Multi-Domain.

0 Kudos