Palo Alto is a RADIUS-aware solution that can be configured to authenticate users via RADIUS. This article describes how to configure Palo Alto Global Protect to integrate with Authlogics Multi-Factor Authentication (MFA) servers over RADIUS.
Prerequisites
Ensure that the Authlogics Authentication Server has been configured and that users have been provisioned and tested for use of an Authlogics MFA technology. When an Authlogics Authentication Server is deployed, it is automatically configured as a RADIUS Server.
Ensure that Firewall rules allow RADIUS protocol (UDP Port 1645 or 1812 ) from Palo Alto Server to the Authlogics MFA Server/(s).
Configure NPS Client on Authlogics MFA Server for Palo Alto Global Protect Server
On the Authlogics MFA Server:
1. Open Network Policy management console
2. Create a New RADIUS client
- Provide a Friendly name
- IP or DNS Address for the Palo Alto Global Protect server
- Specify a Shared Secret
Configure Authlogics RADIUS Global Settings
1. Open the Authlogics Management Console
2. Access the RADIUS tab (Authlogics Global Properties - RADIUS)
3. Specify the RADIUS Options
- Enable/Disable Require AD password before MFA (via Access-Challenge)
- Enable/Disable deviceless logons via RADIUS
- Specify RADIUS Extensions
- NB: When Require AD password before MFA is enabled, ensure that Enable RADIUS extensions is enabled and that the Reply-Message (18) for Access-Challenge contains an appropriate response message.
- Enable/Disable RADIUS User group filtering
Configure Palo Alto Global Protect Server
1. Login to the Palo Alto Management Console
2. Create a new RADIUS Server Profile (Server Profiles - RADIUS - Add)
3. Specify the Authlogics Server details in the Profile
- Set a friendly Profile Name
- Define a Timeout and Retry count
- Set Authentication Protocol to PAP
- Add Authlogics MFA Server IP Address/DNS name and set Shared Secret to match the shared secret set in the NPS Client (see above).
4. Create a new Authentication Profile (Authentication Profile - Add)
5. Specify the Profile details
On Authentication Tab
- Set a friendly Profile Name
- Set Type to RADIUS
- Set Server Profile to the Palo Alto RADIUS profile created above
On Advanced Tab
- Add the Allow list for user groups allowed to use the Authentication Profile
6. Commit the changes
Test the Authentication Profile
To test the newly created Authentication Profile, log in to the Palo Alto Server and run the following CLI command:
test authentication authentication-profile {RADIUS Profile name}” username {username} password
When valid credentials are provided, CLI command should return an Authentication succeeded for user {username}
Authlogics supports the standard RADIUS return Access-Challenge (Challenge Response) which is returned when the user provides a valid Active Directory password. In these cases, when valid credentials are provided, the CLI command will return a Got challenge response
0 Comments