Wednesday, December 7, 2016

Palo Alto Networks - Google Authenticator and OpenOTP

I have been asked about how multi-factor authentication (MFA) with with Palo Alto Networks and GlobalProtect, so I thought I would put this tutorial together. GlobalProtect leverages VPN technology to safely enable applications, users, and content for remotely connected devices. Leveraging MFA for remote access provides an added authentication mechanism so that a user not only has know their password, but also possess a one time password or token. There are multiple MFA solutions out there, but for testing purposes I thought I would show how to use Google Authenticator and OpenOTP.

Install the OTP Server:
  1. Download the appropriate virtual appliance from: https://www.rcdevs.com/downloads/VMWare+Appliances/. In my case, I am going to run the VM in VMware Player, so I downloaded the OVF. The user credentials for the VM by default are as follows:
    1. SSH/console: root / password
    2. Web: admin / password
  2. Upon boot up, enter the following information (mydomain.com should be replaced with your actual domain):
    1. Enter an FQDN of “otp.mydomain.com”
    2. Enter an ORG name of "mydomain.com"
    3. Enter "Y"
    4. Enter "Y"
    5. Enter "Y"
    6. Press any key to continue
    7. Press any key to finish
  3. Log into the server via console and use "ifconfig" to locate or set the IP address.
  4. Update /opt/webadm/conf/servers.xml with the details of your AD server.
    1. ldap server name="servername"
    2. host="ipaddress"
  5. Save and quit
  6. Update /opt/webadm/conf/webadm.conf with administrator account info for your AD server (you could always create a service account in AD for this function).
    1. proxy_user "cn=Administrator,cn=Users,dc=mydomain,dc=com"
    2. proxy_password "mypassword"
  7. Comment out the following lines and add the following below it:
    1. #super_admins "cn=admin,o=root", \
    2. #                       "cn=super_admins,dc=WebADM"
    3. super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com
  8. In the "adminroles_container" section of the file comment the lines out as follows:
    1. # Find below the LDAP containers required by WebADM.
    2. # Change the container's DN to fit your ldap tree base.
    3. # WebADM AdminRoles container
    4. # adminroles_container "dc=AdminRoles,dc=WebADM"
    5. # WebADM Optionsets container
    6. # optionsets_container  "dc=OptionSets,dc=WebADM"
    7. # WebApp configurations container
    8. # webapps_container "dc=WebApps,dc=WebADM"
    9. # WebSrv configurations container
    10. # websrvs_container "dc=WebSrvs,dc=WebADM"
    11. # Mount points container
    12. # mountpoints_container "dc=MountPoints,dc=WebADM"
    13. # Domain and Trusts container
    14. # domains_container "dc=Domains,dc=WebADM"
    15. # Clients container
    16. # clients_container "dc=Clients,dc=WebADM"
  9. In the "MS AD Settings" section of the file, make the following changes:
    1. # With MS Active Directory use the following settings instead of the previous ones
    2. # Note: Replace dc=mydomain,dc=com with your AD domain DN
    3. adminroles_container  "cn=AdminRoles,cn=WebADM,dc=mydomain,dc=com"
    4. optionsets_container  "cn=OptionSets,cn=WebADM,dc=mydomain,dc=com"
    5. webapps_container "cn=WebApps,cn=WebADM,dc=mydomain,dc=com"
    6. websrvs_container "cn=WebSrvs,cn=WebADM,dc=mydomain,dc=com"
    7. mountpoints_container "cn=Mountpoints,cn=WebADM,dc=mydomain,dc=com"
    8. domains_container "cn=Domains,cn=WebADM,dc=mydomain,dc=com"
    9. clients_container "cn=Clients,cn=WebADM,dc=mydomain,dc=com"
  10. Update the time zone, where applicable
  11. Save a quit
  12. Restart the server ("reboot")
  13. Login via the browser ("https://<ipaddress>")
    1. User / DN: cn=Administrator,cn=Users,dc=mydomain,dc=com
    2. Password: mypassword
  14. Select "Setup LDAP Schema"
  15. Select "Extend Schema"
  16. Select "OK"
  17. Scroll down and select "Create Default Containers and Objects"
  18. Select "OK"
  19. Logout and then login again using your AD account
    1. Administrator
    2. mypassword
  20. Select the "Admin" tab
  21. Select "Local Domains"
  22. Select the CN=Default hyperlink
  23. Change the object name from default to "mydomain"
  24. Select "Rename"
  25. Select the "Applications" tab
  26. Under "Web Services -> MFA Authentication Server" select "Register"
  27. Select a user account on the left-hand side
  28. Select "Activate"
  29. Select "Extend Object"
  30. Under "Application Actions" select "MFA Authentication Server"
  31. Select "Register / Unregister OTP Tokens"
  32. Select "I use a QRCode-based Authenticator (Event-based)" and wait for the screen to refresh and display a QR Code.
  33. Download a QR reader and Google Authenticator to your mobile device.
  34. Use the QR reader to scan the QR code on the screen.
  35. After the QR code has been scanned successfully, click "Register"
  36. Select "OK"
  37. Navigate to the "Applications" tab and select "Configure" under "Web Services -> MFA Authentication Server"
  38. Scroll down and select "Apply"

Test the OTP User:
  1.  Select the same user on the left-hand side that you previously assigned a token
  2.  Under "Application Actions" select "MFA Authentication Server"
  3.  Select "Test User Login"
  4.  Enter your AD password under "LDAP Password" and select "Start"
  5.  Launch Google Authenticator and refresh the token
  6.  Enter the token in the "OTP Password" field
  7.  Select "Continue"
  8.  Click "OK" once successful
    1.  If you are unsuccessful, go back and review the configuration steps above

Configure GlobalProtect to Use MFA:

*** The steps below assume that you already have a working GlobalProtect Configuration that leverages an LDAP profile for user authentication. If you are just getting started with GlobalProtect, see this post. ***
  1.  In the firewall, navigate to "Device -> Server Profiles -> RADIUS" and select "Add"
    1.  Name - OTP
    2.  Under Server
      1.  Click Add
      2.  Name - OTP-Server
      3.  Authentication Protocol - PAP
      4.  RADIUS Server - "IP Address of your OTP server"
      5.  Secret - testing123
      6.  Confirm secret - testing123
      7.  Port - 1812
    3. Select "OK"
  2. Navigate to "Device -> Authentication profile" and select "Add"
    1.  Name - OTP
    2.  Under the "Authentication" tab
      1.  Type - RADIUS
      2.  Server Profile - OTP
      3.  User Domain - "mydomain"
    3.  Under Advanced Tab
      1.  Select "Add"
      2.  Include All
      3.  Select "OK"
  3.  Navigate to "Network -> GlobalProtect -> Gateways" and edit your gateway
    1. Make sure your OTP Authentication profile is selected and not your LDAP profile
    2. Select "OK"
  4.  Commit 
Test MFA from the Palo Alto Networks CLI
  1.  Enter "test authentication authentication-profile OTP username <username> password" from operational mode
  2. You should see the following output:
    1. "Got challenge response, which is regarded as failed auth since "test auth ..." CLI command does not support it. User "<username>" is replied with msg "Enter your TOKEN password"
Test MFA from the user's smart phone with Google Authenticator
  1.  Open Google Authenticator and generate a pin
  2.  Open GlobalProtect, enter your username and password, and select "Connect"
  3.  You will then be prompted to enter your pin and will be connected

2 comments:

  1. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in Palo Alto
    , kindly contact us http://www.maxmunus.com/contact
    MaxMunus Offer World Class Virtual Instructor led training on in Palo Alto We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us:
    Name : Arunkumar U
    Email : arun@maxmunus.com
    Skype id: training_maxmunus
    Contact No.-+91-9738507310
    Company Website –http://www.maxmunus.com


    ReplyDelete
  2. I really appreciated above information, very useful.
    Just one comment, In order to get challenge OTP Token I had to increase Radius timeout from 3secs to 10 secs otherwise I had auth failures

    ReplyDelete