RADIUS

 

 

Introduction

Multi-factor authentication (MFA) is an extra layer of security used when accessing your Palo Alto Global Protect VPN through more than one required security and validation procedure that only you know or have access to. RADIUS is a protocol commonly used to authenticate, authorize and account for user access and actions. The Acceptto RADIUS solution adds an out of band authentication method to increase the protection applied to the attack surface associated with VPN connectivity.

  

Pre-requisites

  1. An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
  2. The user population that is going to be authenticated via RADIUS must be enrolled in the It’sMe Application.
  3. A user with administrative privileges for the Palo Alto device.
  4. Experience of setting up Palo Alto client VPN configurations.
  5. A user with administrative privileges for the Acceptto Appliance.

 

Configure the Acceptto RADIUS

  1. Login to the Acceptto appliance admin panel with an administrative account and select RADIUS.
  • Activate the RADIUS Service by selecting the toggle control (it is active by default, this action is only required if you have disabled the service).
  • Activate the MS-CHAPv2 protocol by selecting the toggle control (it is active by default).
  • LDAP/AD host - enter the IP address or fully qualified domain name of your Active Directory Server.
  • LDAP bind user - enter a user that has privileges to create a machine account in your Active Directory.
  • LDAP bind password - enter the password for the user.
  • LDAP Base DN - enter The base DN path of Active Directory LDAP tree for searching users.
  • NETBIOS domain - enter the NETBIOS domain name.
  • “Assigned computer name” - enter the name of the workstation that you want created in Active Directory for example: radius1.
  • “REALM” - enter the realm that is usually appended to your usernames, usually this is equal to the domain name e.g. if your domain is example.com then your realm, is usually example.com.
  • “Acceptto AD Group” - enter the ldap group that contains the users that can login via MFA (note that by default users outside of this group will have their access denied).
  • “Pre-login message” - enter the message that your users are going to see on the It’sME mobile application.
  • Select the “SAVE CHANGES” control once you have completed the configuration.

 

Configure the Palo Alto Global Protect Portal

  1. Configure a RADIUS Server:

    1. Open the Palo Alto administrative interface and select Device, Server Profiles, RADIUS, Add.

    2. In the Server profile dialog enter the configuration for your RADIUS.

      Profile Name: Enter a friendly name for this configuration.

      Timeout (sec): 120 seconds

      Retries: 1

      Authentication Protocol: PAP

    3. Select the Add control at the bottom of the dialog to add a new RADIUS server.

      Name: A friendly name for the RADIUS Server.

      RADIUS Server: The IP address or Fully Qualified Domain Name (FQDN) of your RADIUS server.

      Secret: The string used to authenticate the Palo Alto Device to the RADIUS Server.

      Port: Leave this unchanged.


    4. Select OK, and then Commit, your new RADIUS Server Profile is ready to use.

       



  2. Create an Authentication Profile

    1. Select Device, Authentication Profile, Add.

      Name: A friendly name for the Authentication Profile.

      Type: RADIUS

      Server Profile: The Server profile created in the previous step 1.b.

      User Domain: The domain used by your users (Optional)


    2. In the same dialog select the tab Advanced and then select Add.

      Allow List: Select all or the user group(s) that you want to use for this authentication profile.

      Failed Attempts: Configure this setting according to your security policy. (Optional)

      Lockout Time (min): Configure this setting according to your security policy. (Optional)


       

  3. Associate the RADIUS Server Profile to either a new Portal or an existing one.

    1. In the Palo Alto administrative interface, select Network, Global Protect, Portals, Add.

    2. Select the Authentication tab and change or add the authentication method to use the Authentication Profile created in step 2.

    3. Select OK and Commit.

 

Test the authentication configuration

  1. Open a console session to the Palo Alto device.

    1. Type test authentication authentication-profile "VPNAuth Profile Acceptto RADIUS" username demo password, where “VPN Auth Profile Acceptto RADIUS” is the profile created in step 2, the username demo is a valid user of your Active Directory, the command prompt will ask you to input the user’s password.

    2. The expected output should be similar to:

      Do allow list check before sending out authentication request…

      name "demo" is in group "all"

      Authentication to RADIUS server at radius.example.com:1812 for user "demo"

      Authentication type: PAP

      Now send request to remote server …

      Authentication succeeded against RADIUS server at radius.example.com:1812 for user "demo"



    3. After the line “Now send request to remote server” the mobile device associated with the user account should receive a push notification, approval of the user notification should then cause the line “Authentication succeeded…” to appear.

       

    4. If the push notification is rejected then the message “Authentication failed…” will appear.

 

  1. You can also verify the configuration using the Global Protect VPN Client.

    1. Download and install the Global Protect Client. See this link for further information on how to obtain the GlobalProtect Client.

    2. Open the Global Protect Client and select the “cog” icon on the top right-hand corner, select Settings to open the GlobalProtect Settings menu.

    3. Select Add to configure the portal created in “Configure the Palo Alto Global Protect Portal” step 3.

    4. Open the GlobalProtect client and select Connect.

    5. A push notification is sent to your mobile device. Approval of the push notification will complete the VPN connection

    6. If you encounter issues while configuring your RADIUS instance please contact Acceptto Support at support@acceptto.com for further assistance.

Disclaimer

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks and brands does not constitute endorsement by the Acceptto Corporation.

 

Microsoft™, Azure™ and Active Directory™ are trademarks of Microsoft Corporation and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.