Acceptto MFA for Palo Alto VPN

Introduction

RADIUS is a protocol commonly used to authenticate, authorize and account for user access and actions. Acceptto offers a simple solution for adding multi-factor authentication (MFA) to Palo Alto VPN via its Radius solution. This manual illustrates how to configure both a Palo Alto device and an Acceptto appliance using RADIUS.


Pre-requisites
  1. An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
  2. A user with administrative privileges for the Acceptto Appliance.
  3. The user population that is going to be authenticated via RADIUS must be enrolled in the It’sMe mobile application.
  4. A user with administrative privileges for the Palo Alto device.

Configure the Acceptto Appliance RADIUS interface
  1. Login to the Acceptto appliance admin panel with an administrative account and select RADIUS.
  2. Acceptto admin panel
    • Activate the RADIUS Service by selecting the toggle control (it is active by default).
    • Activate the MS-CHAPv2 protocol by selecting the toggle control (it is active by default).
    • LDAP/AD host - enter the IP address or fully qualified domain name of your Active Directory Server.
    • LDAP bind user - enter a user that has privileges to create a machine account in your Active Directory.
    • LDAP bind password - enter the password for the user.
    • LDAP Base DN - enter The base DN path of Active Directory LDAP tree for searching users.
    • NETBIOS domain - enter the NETBIOS domain name.
    • Assigned computer name - enter the computer name that you want to be created in Active Directory. For example, radius1.
    • REALM - enter the realm that is appended to your username. Usually, this is your domain name.
    • Acceptto AD Group - enter the LDAP group that contains the users that can login via MFA (note that by default users outside of this group will have their access denied).
    • Pre-login message - enter the message that your users are going to see on the It’sMe mobile application.

  3. Click “SAVE CHANGES” button.

Configure the Palo Alto Global Protect Portal
  1. Configure a RADIUS Server:
    1. Open the Palo Alto administrative interface and navigate to Device tab > Server Profiles > RADIUS and click Add.
    2. Palo Alto admin interface
    3. In the Server profile dialog enter the configuration for your RADIUS.
    4. Server profile dialog
      • Profile Name: Enter a friendly name for this configuration.
      • Timeout (sec): 120 seconds
      • Retries: 1
      • Authentication Protocol: PAP

    5. Select the Add control at the bottom of the dialog to add a new RADIUS server.
    6. Radius Server profile
      • Name: A friendly name for the RADIUS Server.
      • RADIUS Server: The IP address or Fully Qualified Domain Name (FQDN) of your RADIUS server.
      • Secret: The string used to authenticate the Palo Alto Device to the RADIUS Server.
      • Port: Leave this unchanged.

    7. Select OK, and then Commit, your new RADIUS Server Profile is ready to use.

  2. Create an Authentication Profile

    1. Select Device, Authentication Profile, Add.
    2. Authentication profile
      • Name: A friendly name for the Authentication Profile.
      • Type: RADIUS
      • Server Profile: The Server profile created in the previous step 1.b.
      • User Domain: The domain used by your users (Optional)

    3. In the same dialog select the tab Advanced and then select Add.
    4. Advanced tab of authentication profile
      • Allow List: Select all or the user group(s) that you want to use for this authentication profile.
      • Failed Attempts: Configure this setting according to your security policy. (Optional)
      • Lockout Time (min): Configure this setting according to your security policy. (Optional)

  3. Associate the RADIUS Server Profile to either a new Portal or an existing one.
    1. In the Palo Alto administrative interface, select Network tab > Global Protect > Portals then click Add.
    2. Palo Alto Network
    3. Select the Authentication tab and change or add the authentication method to use the Authentication Profile created in step 2.
    4. GlobalProtect portal configuration
      Client authentication
    5. Select OK and Commit.

Test your setup
  1. Open a console session to the Palo Alto device.
    1. Type test authentication authentication-profile "VPNAuth Profile Acceptto RADIUS" username demo password, where “VPN Auth Profile Acceptto RADIUS” is the profile created in step 2, the username demo is a valid user of your Active Directory, the command prompt will ask you to input the user’s password.
    2. The expected output should be similar to:
    3. Do allow list check before sending out authentication request…
      name "demo" is in group "all"
      Authentication to RADIUS server at radius.example.com:1812 for user "demo"
      Authentication type: PAP
      Now send request to remote server …
      Authentication succeeded against RADIUS server at radius.example.com:1812 for user "demo"
    4. After the line “Now send request to remote server” the mobile device associated with the user account should receive a push notification. Approval of the user notification should then cause the line “Authentication succeeded…” to appear.
    5. If the push notification is rejected then the message “Authentication failed…” will appear.
  2. You can also verify the configuration using the Global Protect VPN Client.
    1. Download and install the Global Protect Client. See this link for further information on how to obtain the GlobalProtect Client.
    2. Open the Global Protect Client and select the “cog” icon on the top right-hand corner, select Settings to open the GlobalProtect Settings menu.
    3. GlobalProtect connect popup modal
      GlobalProtect settings navigation
    4. Select Add to configure the portal created in “Configure the Palo Alto Global Protect Portal” step 3.
    5. GlobalProtect settings tab
    6. Open the GlobalProtect client and select Connect.
    7. GlobalProtect sign in page
    8. A push notification is sent to your mobile device. Approval of the push notification will complete the VPN connection.
    9. It'sMe transaction screen
    10. If you encounter issues while configuring your RADIUS instance please contact Acceptto Support at support@acceptto.com for further assistance.

Support

If you require assistance, please email us at support@acceptto.com


Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.


Disclaimer

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks and brands does not constitute endorsement by the Acceptto Corporation.

Palo Alto Networks are trademarks of Palo Alto Networks® and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.