Saturday, March 21, 2020

Palo Alto Networks - Duo Integration via RADIUS

Duo can be integrated with Palo Alto Networks in a variety of ways. In this post, we are going to be looking at RADIUS integration, specifically. This would allow administrators to add additional factors of authentication for mobile users connecting to specific GlobalProtect gateways, for example.

Note - This post assumes that you have an active Duo account, along with a domain controller running at least Windows Server 2012 R2 or later. There is a great Duo tutorial that covers this configuration, but I thought I would include the specific steps I followed in this post.

From the Duo interface:
  • Navigate to Users to add a user name that matches a user in Active Directory
    • Select Add Phone to add your mobile phone as a 2FA device
      • You should then be able to send an activation link to the device
  • Navigate to Applications -> Protect an Application -> search for Palo Alto SSL VPN -> Protect
From the Windows server:
  • Download the latest Duo Authentication Proxy here and install it as a user with administrative rights
  • Navigate to C:\Program Files (x86)\Duo Security Authentication Proxy\conf and edit the authproxy file using Wordpad (Notepad is discouraged)
  • Delete all the contents of the file, and replace it with the following data:
[ad_client]
host=(enter the IP address of the server)
service_account_username=(enter the service account username)
service_account_password=(enter the service account password)
search_dn=DC=mydomain,DC=local
[radius_server_auto]
ikey=(enter the Integration Key found in the Palo Alto SSL VPN application in Duo)
skey=(enter the Secret Key found in the Palo Alto SSL VPN application in Duo)
api_host=(enter the API Hostname found in the Palo Alto SSL VPN application in Duo)
radius_ip_1=(enter the IP address of the trust interface of the firewall)
radius_secret_1=(enter a shared secret of your choice)
client=ad_client
port=1812
failmode=safe
From the firewall interface:
  • Navigate to Device -> Server Profiles -> RADIUS -> Add
    • Enter a Profile Name
    • Set the Timeout (sec) to 60
    • Set the Authentication Protocol to PAP
    • Add a Server
      • Enter a Name
      • Enter a RADIUS Server
        • This should be IP address of the AD server
      • Enter the same Secret that was created in the authproxy file for radius_ip_1
    • Click OK
  • Navigate to Device -> Authentication Profile -> Add
    • Enter a Name
    • Set the Type to RADIUS
    • Set the Server Profile to the RADIUS profile that was previously created
    • Set the User Domain to your domain
    • Navigate to the Advanced tab and select the user group (where applicable)
    • Click OK
You can now test this by adding the Authentication Profile to an administrator or to a GlobalProtect configuration, like in this post.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)