How to integrate Palo Alto Global Protect with Authlogics Multi-factor Authentication

Palo Alto is a RADIUS-aware solution that can be configured to authenticate users via RADIUS. This article describes how to configure Palo Alto Global Protect to integrate with Authlogics Multi-Factor Authentication (MFA) servers over RADIUS.

Prerequisites

Ensure that the Authlogics Authentication Server has been configured and that users have been provisioned and tested for use of an Authlogics MFA technology. When an Authlogics Authentication Server is deployed, it is automatically configured as a RADIUS Server. 

Ensure that Firewall rules allow RADIUS protocol (UDP Port 1645 or 1812 ) from Palo Alto Server to the Authlogics MFA Server/(s).

 

Configure NPS Client on Authlogics MFA Server for Palo Alto Global Protect Server

On the Authlogics MFA Server:

1. Open Network Policy management console

mceclip0.png

2. Create a New RADIUS client

  • Provide a Friendly name
  • IP or DNS Address for the Palo Alto Global Protect server
  • Specify a Shared Secret

mceclip1.png

mceclip2.png

 

Configure Authlogics RADIUS Global Settings

1. Open the Authlogics Management Console

2. Access the RADIUS tab (Authlogics Global Properties - RADIUS)

3. Specify the RADIUS Options

  • Enable/Disable Require AD password before MFA (via Access-Challenge) 
  • Enable/Disable deviceless logons via RADIUS
  • Specify RADIUS Extensions
    • NB: When Require AD password before MFA is enabled, ensure that Enable RADIUS extensions is enabled and that the Reply-Message (18) for Access-Challenge contains an appropriate response message.
  • Enable/Disable RADIUS User group filtering

mceclip0.png

 

Configure Palo Alto Global Protect Server

1. Login to the Palo Alto Management Console

2. Create a new RADIUS Server Profile (Server Profiles - RADIUS - Add)

mceclip3.png

3. Specify the Authlogics Server details in the Profile

  • Set a friendly Profile Name 
  • Define a Timeout and Retry count
  • Set Authentication Protocol to PAP
  • Add Authlogics MFA Server IP Address/DNS name and set Shared Secret to match the shared secret set in the NPS Client (see above).

mceclip4.png

mceclip5.png

4. Create a new Authentication Profile (Authentication Profile - Add)

mceclip7.png

5. Specify the Profile details

On Authentication Tab

  • Set a friendly Profile Name
  • Set Type to RADIUS
  • Set Server Profile to the Palo Alto RADIUS profile created above

mceclip9.png

On Advanced Tab

  • Add the Allow list for user groups allowed to use the Authentication Profile

mceclip11.png

 

6. Commit the changes

mceclip13.png

 

Test the Authentication Profile

To test the newly created Authentication Profile, log in to the Palo Alto Server and run the following CLI command:

test authentication authentication-profile {RADIUS Profile name}” username {username} password

mceclip14.png

When valid credentials are provided, CLI command should return an Authentication succeeded for user {username}

 

Authlogics supports the standard RADIUS return Access-Challenge (Challenge Response) which is returned when the user provides a valid Active Directory password. In these cases, when valid credentials are provided, the CLI command will return a Got challenge response 

mceclip15.png

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.