Install the OTP Server:
- Download the appropriate virtual appliance from: https://www.rcdevs.com/downloads/VMWare+Appliances/. In my case, I am going to run the VM in VMware Player, so I downloaded the OVF. The user credentials for the VM by default are as follows:
- SSH/console: root / password
- Web: admin / password
- Upon boot up, enter the following information (mydomain.com should be replaced with your actual domain):
- Enter an FQDN of “otp.mydomain.com”
- Enter an ORG name of "mydomain.com"
- Enter "Y"
- Enter "Y"
- Enter "Y"
- Press any key to continue
- Press any key to finish
- Log into the server via console and use "ifconfig" to locate or set the IP address.
- Update /opt/webadm/conf/servers.xml with the details of your AD server.
- ldap server name="servername"
- host="ipaddress"
- Save and quit
- Update /opt/webadm/conf/webadm.conf with administrator account info for your AD server (you could always create a service account in AD for this function).
- proxy_user "cn=Administrator,cn=Users,dc=mydomain,dc=com"
- proxy_password "mypassword"
- Comment out the following lines and add the following below it:
- #super_admins "cn=admin,o=root", \
- # "cn=super_admins,dc=WebADM"
- super_admins "cn=Administrator,cn=Users,dc=mydomain,dc=com
- In the "adminroles_container" section of the file comment the lines out as follows:
- # Find below the LDAP containers required by WebADM.
- # Change the container's DN to fit your ldap tree base.
- # WebADM AdminRoles container
- # adminroles_container "dc=AdminRoles,dc=WebADM"
- # WebADM Optionsets container
- # optionsets_container "dc=OptionSets,dc=WebADM"
- # WebApp configurations container
- # webapps_container "dc=WebApps,dc=WebADM"
- # WebSrv configurations container
- # websrvs_container "dc=WebSrvs,dc=WebADM"
- # Mount points container
- # mountpoints_container "dc=MountPoints,dc=WebADM"
- # Domain and Trusts container
- # domains_container "dc=Domains,dc=WebADM"
- # Clients container
- # clients_container "dc=Clients,dc=WebADM"
- In the "MS AD Settings" section of the file, make the following changes:
- # With MS Active Directory use the following settings instead of the previous ones
- # Note: Replace dc=mydomain,dc=com with your AD domain DN
- adminroles_container "cn=AdminRoles,cn=WebADM,dc=mydomain,dc=com"
- optionsets_container "cn=OptionSets,cn=WebADM,dc=mydomain,dc=com"
- webapps_container "cn=WebApps,cn=WebADM,dc=mydomain,dc=com"
- websrvs_container "cn=WebSrvs,cn=WebADM,dc=mydomain,dc=com"
- mountpoints_container "cn=Mountpoints,cn=WebADM,dc=mydomain,dc=com"
- domains_container "cn=Domains,cn=WebADM,dc=mydomain,dc=com"
- clients_container "cn=Clients,cn=WebADM,dc=mydomain,dc=com"
- Update the time zone, where applicable
- Save a quit
- Restart the server ("reboot")
- Login via the browser ("https://<ipaddress>")
- User / DN: cn=Administrator,cn=Users,dc=mydomain,dc=com
- Password: mypassword
- Select "Setup LDAP Schema"
- Select "Extend Schema"
- Select "OK"
- Scroll down and select "Create Default Containers and Objects"
- Select "OK"
- Logout and then login again using your AD account
- Administrator
- mypassword
- Select the "Admin" tab
- Select "Local Domains"
- Select the CN=Default hyperlink
- Change the object name from default to "mydomain"
- Select "Rename"
- Select the "Applications" tab
- Under "Web Services -> MFA Authentication Server" select "Register"
- Select a user account on the left-hand side
- Select "Activate"
- Select "Extend Object"
- Under "Application Actions" select "MFA Authentication Server"
- Select "Register / Unregister OTP Tokens"
- Select "I use a QRCode-based Authenticator (Event-based)" and wait for the screen to refresh and display a QR Code.
- Download a QR reader and Google Authenticator to your mobile device.
- Use the QR reader to scan the QR code on the screen.
- After the QR code has been scanned successfully, click "Register"
- Select "OK"
- Navigate to the "Applications" tab and select "Configure" under "Web Services -> MFA Authentication Server"
- Scroll down and select "Apply"
Test the OTP User:
- Select the same user on the left-hand side that you previously assigned a token
- Under "Application Actions" select "MFA Authentication Server"
- Select "Test User Login"
- Enter your AD password under "LDAP Password" and select "Start"
- Launch Google Authenticator and refresh the token
- Enter the token in the "OTP Password" field
- Select "Continue"
- Click "OK" once successful
- If you are unsuccessful, go back and review the configuration steps above
Configure GlobalProtect to Use MFA:
*** The steps below assume that you already have a working GlobalProtect Configuration that leverages an LDAP profile for user authentication. If you are just getting started with GlobalProtect, see this post. ***
*** The steps below assume that you already have a working GlobalProtect Configuration that leverages an LDAP profile for user authentication. If you are just getting started with GlobalProtect, see this post. ***
- In the firewall, navigate to "Device -> Server Profiles -> RADIUS" and select "Add"
- Name - OTP
- Under Server
- Click Add
- Name - OTP-Server
- Authentication Protocol - PAP
- RADIUS Server - "IP Address of your OTP server"
- Secret - testing123
- Confirm secret - testing123
- Port - 1812
- Select "OK"
- Navigate to "Device -> Authentication profile" and select "Add"
- Name - OTP
- Under the "Authentication" tab
- Type - RADIUS
- Server Profile - OTP
- User Domain - "mydomain"
- Under Advanced Tab
- Select "Add"
- Include All
- Select "OK"
- Navigate to "Network -> GlobalProtect -> Gateways" and edit your gateway
- Make sure your OTP Authentication profile is selected and not your LDAP profile
- Select "OK"
- Commit
Test MFA from the Palo Alto Networks CLI
- Enter "test authentication authentication-profile OTP username <username> password" from operational mode
- You should see the following output:
- "Got challenge response, which is regarded as failed auth since "test auth ..." CLI command does not support it. User "<username>" is replied with msg "Enter your TOKEN password"
Test MFA from the user's smart phone with Google Authenticator
- Open Google Authenticator and generate a pin
- Open GlobalProtect, enter your username and password, and select "Connect"
- You will then be prompted to enter your pin and will be connected