Acceptto MFA for Palo Alto VPN
RADIUS is a protocol commonly used to authenticate, authorize and account for user access and actions. Acceptto offers a simple solution for adding multi-factor authentication (MFA) to Palo Alto VPN via its Radius solution. This manual illustrates how to configure both a Palo Alto device and an Acceptto appliance using RADIUS.
- An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
- A user with administrative privileges for the Acceptto Appliance.
- The user population that is going to be authenticated via RADIUS must be enrolled in the It’sMe mobile application.
- A user with administrative privileges for the Palo Alto device.
Configure the Acceptto Appliance RADIUS interface
- Login to the Acceptto appliance admin panel with an administrative account and select RADIUS.
- Activate the RADIUS Service by selecting the toggle control (it is active by default).
- Activate the MS-CHAPv2 protocol by selecting the toggle control (it is active by default).
- LDAP/AD host - enter the IP address or fully qualified domain name of your Active Directory Server.
- LDAP bind user - enter a user that has privileges to create a machine account in your Active Directory.
- LDAP bind password - enter the password for the user.
- LDAP Base DN - enter The base DN path of Active Directory LDAP tree for searching users.
- NETBIOS domain - enter the NETBIOS domain name.
- Assigned computer name - enter the computer name that you want to be created in Active Directory. For example, radius1.
- REALM - enter the realm that is appended to your username. Usually, this is your domain name.
- Acceptto AD Group - enter the LDAP group that contains the users that can login via MFA (note that by default users outside of this group will have their access denied).
- Pre-login message - enter the message that your users are going to see on the It’sMe mobile application.
Configure the Palo Alto Global Protect Portal
- Configure a RADIUS Server:
- Open the Palo Alto administrative interface and navigate to Device tab > Server Profiles > RADIUS and click Add.
- In the Server profile dialog enter the configuration for your RADIUS.
- Profile Name: Enter a friendly name for this configuration.
- Timeout (sec): 120 seconds
- Retries: 1
- Authentication Protocol: PAP
- Name: A friendly name for the RADIUS Server.
- RADIUS Server: The IP address or Fully Qualified Domain Name (FQDN) of your RADIUS server.
- Secret: The string used to authenticate the Palo Alto Device to the RADIUS Server.
- Port: Leave this unchanged.
- Select Device, Authentication Profile, Add.
- Name: A friendly name for the Authentication Profile.
- Type: RADIUS
- Server Profile: The Server profile created in the previous step 1.b.
- User Domain: The domain used by your users (Optional)
- Allow List: Select all or the user group(s) that you want to use for this authentication profile.
- Failed Attempts: Configure this setting according to your security policy. (Optional)
- Lockout Time (min): Configure this setting according to your security policy. (Optional)
- In the Palo Alto administrative interface, select Network tab > Global Protect > Portals then click Add.
- Select the Authentication tab and change or add the authentication method to use the Authentication Profile created in step 2.
- Select OK and Commit.
Test your setup
- Open a console session to the Palo Alto device.
- Type test authentication authentication-profile "VPNAuth Profile Acceptto RADIUS" username demo password, where “VPN Auth Profile Acceptto RADIUS” is the profile created in step 2, the username demo is a valid user of your Active Directory, the command prompt will ask you to input the user’s password.
- The expected output should be similar to:
- After the line “Now send request to remote server” the mobile device associated with the user account should receive a push notification. Approval of the user notification should then cause the line “Authentication succeeded…” to appear.
- If the push notification is rejected then the message “Authentication failed…” will appear.
- You can also verify the configuration using the Global Protect VPN Client.
- Download and install the Global Protect Client. See this link for further information on how to obtain the GlobalProtect Client.
- Open the Global Protect Client and select the “cog” icon on the top right-hand corner, select Settings to open the GlobalProtect Settings menu.
- Select Add to configure the portal created in “Configure the Palo Alto Global Protect Portal” step 3.
- Open the GlobalProtect client and select Connect.
- A push notification is sent to your mobile device. Approval of the push notification will complete the VPN connection.
- If you encounter issues while configuring your RADIUS instance please contact Acceptto Support at email@example.com for further assistance.
Do allow list check before sending out authentication request… name "demo" is in group "all" Authentication to RADIUS server at radius.example.com:1812 for user "demo" Authentication type: PAP Now send request to remote server … Authentication succeeded against RADIUS server at radius.example.com:1812 for user "demo"
If you require assistance, please email us at firstname.lastname@example.org
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks and brands does not constitute endorsement by the Acceptto Corporation.
Palo Alto Networks are trademarks of Palo Alto Networks® and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.