Palo Alto Radius Integration

Introduction

RADIUS is a protocol commonly used to authenticate, authorize and account for user access and actions. Acceptto offers a simple solution for adding multi-factor authentication (MFA) to Palo Alto VPN via its Radius solution. This manual illustrates how to configure both a Palo Alto device and an Acceptto appliance using RADIUS.

Pre-requisites
  1. An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
  2. A user with administrative privileges for the Acceptto Appliance.
  3. The user population that will be authenticated via RADIUS must be enrolled in the It’sMe mobile application.
  4. A user with administrative privileges for the Palo Alto device.

Configure the Acceptto Appliance
  1. Login to the Acceptto appliance admin panel with an administrative account and select Active Directory.


    • Domain Controller Hostname - the fully qualified domain name of your Active Directory Server.
    • Base DN - The Distinguished Name that will be the base of the LDAP tree for searching users.
    • Domain name - The domain portion of the fully qualified domain name.
    • Bind Credentials, Username - enter a user that has privileges to perform LDAP queries
    • Bind Credentials, Password - enter the password for the user.

  2. Click “Save Changes” button.
  3. Select RADIUS.


    • NetBIOS domain - The NetBIOS name of your domain.
    • Assigned Computer Name - The name to attribute to RADIUS in theComputers section of your Active Directory
    • REALM - Usually equal to the domain portion of your Active Directory fully qualified domain name.
    • MFA Active Directory Group - The LDAP group that will contain the users subject to MFA.
    • MFA Login message - The message show to your users in the It’sMe mobile application.
    • Radius eGuardian UID - An application UID provided to you by your Acceptto representative, or configured by you in the eGuardian admin panel.
    • Radius eGuardian Secret - An application Secret provided to you by your Acceptto representative or configured by you in the eGuardian admin panel.

  4. Click “Save Changes” button.

Configure the Palo Alto Global Protect Portal
  1. Configure a RADIUS Server:
    1. Open the Palo Alto administrative interface and navigate to Device tab > Server Profiles > RADIUS and click Add.


    2. In the Server profile dialog enter the configuration for your RADIUS.


      1. Profile Name: Enter a friendly name for this configuration.
      2. Timeout (sec): 120 seconds
      3. Retries: 1
      4. Authentication Protocol: PAP

    3. Select the Add button at the bottom of the dialog to add a new RADIUS server.


      1. Name: A friendly name for the RADIUS Server.
      2. RADIUS Server: The IP address or Fully Qualified Domain Name (FQDN) of your RADIUS server.
      3. Secret: The string used to authenticate the Palo Alto Device to the RADIUS Server.
      4. Port: Leave this unchanged.

    4. Select OK, and then Commit, your new RADIUS Server Profile is ready to use.
  2. Create an Authentication Profile
    1. Select Device, Authentication Profile, Add.


      1. Name: A friendly name for the Authentication Profile.
      2. Type: RADIUS
      3. Server Profile: The Server profile created in the previous step 1.b.
      4. User Domain: The domain used by your users (Optional)
    2. In the same dialog select the tab Advanced and then select “ + Add “.


      1. Allow List: Select all or the user group(s) that you want to use for this authentication profile.
      2. Failed Attempts: Configure this setting according to your security policy. (Optional)
      3. Lockout Time (min): Configure this setting according to your security policy. (Optional)
  3. Associate the RADIUS Server Profile to either a new Portal or an existing one.
    1. In the Palo Alto administrative interface, select Network tab > Global Protect > Portals then click Add.


    2. Select the Authentication tab and change or add the authentication method to use the Authentication Profile created in step 2.



    3. Select OK and Commit.
Test your setup
  1. Open a console session to the Palo Alto device.
    1. Type test authentication authentication-profile " VPNAuth Profile Acceptto RADIUS " username demo password, where " VPN Auth Profile Acceptto RADIUS " is the profile created in step 2, the username demo is a valid user of your Active Directory, the command prompt will ask you to input the user’s password.
    2. The expected output should be similar to:
    3. Do allow list check before sending out authentication request… name "demo" is in group "all" Authentication to RADIUS server at radius.example.com:1812 for user "demo" Authentication type: PAP Now send request to remote server … Authentication succeeded against RADIUS server at radius.example.com: 1812 for user "demo"

    4. After the line " Now send request to remote server " the mobile device associated with the user account should receive a push notification. Approval of the user notification should then cause the line " Authentication succeeded… " to appear.
    5. If the push notification is rejected then the message " Authentication failed… " will appear.
  2. You can also verify the configuration using the Global Protect VPN Client.
    1. Download and install the Global Protect Client. See this link for further information on how to obtain the GlobalProtect Client.
    2. Open the Global Protect Client and select the " cog " icon on the top right-hand corner, select Settings to open the GlobalProtect Settings menu.



    3. Select Add to configure the portal created in " Configure the Palo Alto Global Protect Portal " step 3.


    4. Open the GlobalProtect client and select Connect.


    5. A push notification is sent to your mobile device. Approval of the push notification will complete the VPN connection


    6. If you encounter issues while configuring your RADIUS instance please contact Acceptto Support at support@acceptto.com for further assistance.
Disclaimer

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks and brands does not constitute endorsement by the Acceptto Corporation.

Palo Alto Networks are trademarks of Palo Alto Networks® and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.