PALO-ALTO MFA AUTHENTICATION USING UPSSO RADIUS

This document provides instructions to integrate Palo Alto Global Protect VPN with UPSSO RADIUS.

PRE-REQUISITES

To integrate UPSSO with the Palo Alto Global Protect VPN, below are the prerequisites we need.

  • Administrator access to UPSSO Portal.
  • Palo Alto Firewall  version 9.X and higher
  • Palo Alto Global Protect Agent 4.X or higher.

NETWORK DIAGRAM

A close up of a map

Description automatically generated
  1. User authenticated to the firewall using Global Protect Agent software.
  2. Palo Alto firewall sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD PALO-ALTO RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.
  2. Once login, go to Radius client’s section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration. By Default, Palo-Alto uses a management interface for Radius Communication.

CONFIGURING VPN USING PALO ALTO WEB INTERFACE

In this guide, we are using three interfaces in the Palo Alto Firewall. Interface details are as follows.

  • Inside – LAN facing Interface – IP address: 10.10.3.79
  • Outside – WAN facing interface – IP address: 10.10.2.179
  • Management – Interface used to connect ASDM client for firewall configurations. - IP address 10.10.3.138

PALO-ALTO SSL CERTIFICATE CONFIGURATION

In the following steps, we create a Palo-Alto global protect VPN with On-demand authentication.

  1. Generate a root CA, Intermediate CA, and a Server cert in device> Certificate and Click on Generate Button at the bottom of the screen.

a. Create Root CA

b. Create an Intermediate Certificate

c. Create a Server Certificate.

The final results look like the below screenshot.

2. Create an SSL/TLS profile under the device> Certificate Management > SSL/TLS service profile, referencing the above-created server certificate.

3. Create an authentication profile under Devices > Authentication Profile > Add

Name – Give a friendly name for the Authentication profile

Type – Select Local Database (We are testing with Local Authentication and later switch to Radius Authentication)

4. Click on the advanced TAB and select all users.

PALO-ALTO SSL TUNNEL CONFIGURATION

1) Create a tunnel interface under network> Interfaces> Tunnel. Give a Tunnel number, Virtual router, and security zone.

2) Under the Security Zone, click on the drop-down and New Zone. Give a new zone name as a VPN.

3) Commit changes in the top right corner on the screen.

CONFIGURE GLOBAL PROTECT PORTAL

  1. Go to Network > GlobalProtect > Portals > Add

General Tab – Give a friendly name to the portal. We are using the WAN interface to access the portal. Select IP address If applicable.

Authentication Tab

a) Under SSL/TLS service profile, select the SSL/TLS profile created in previous session step 2.

b) Client Authentication > Add. Give a friendly name to it, leave the OS to any unless you want some restriction. Under the authentication profile, select the auth profile to create in step 3 previous section. Leave the rest of the settings to default.

c) Click OK to save.

Agent TAB

a) Click on the add button in Agent section

b) Give any friendly name.

c) Leave client certificate to none

d) Save user Credential – Default (Yes)

e) Authentication override. Select checkboxes “Generate cookie for Authentication override” and “Accept cookie for authentication override.” Select RootCert in “Certificate to Encrypt/Decrypt”

f) In config selection criteria > User/Groups select any users.

g) In the External tab, add the public IP address of the interface. This IP address we entered during the certificate Creation.

h) In the app tab, Under ‘Connect-Method’ drop-down. Select ‘On-demand (Manual user-initiated connection)’ or select as per the requirement.

i) Click OK to save.

j) Select the certificate as per the below screenshot.,

k) Click OK to save.

CONFIGURE GLOBAL PROTECT GATEWAY

  1. Go to Network > Global Protect > Gateways > Add
  2. In the general tab, Give a friendly name. In our case, we select the WAN interface for gateway traffic.

3. In authentication TAB, select SSL-TLS service profile as same as portal configuration. Add the Client authentication similar to Global protect portal configuration.

4. Agent TAB

a. Check Tunnel settings to enable and select the tunnel.10, which we created in the previous steps.

b. Select IPSec, so that client can try IPSec and fall back to SSL VPN

c. Leave the rest to default.

d. In the client settings click add, and give a friendly name in config selection criteria and leave the default to select any user.

e. In the authentication override, select the options as per the below screenshot.

f. In the client, the IP pool selects a range of IP addresses assigned to the clients. Please make sure this range does not conflict with your existing network.

g. In the split tunnel, select the internal network range. The clients route the traffic through the VPN. Or by default client send all the traffic through the VPN.

h. Click OK to save all the configuration

i. Click commit to write the configuration in the disk.

CREATING LOCAL USER FOR TESTING VPN

  1. Go to device> Local database users > Users
  2. Add a user

3.  Click OK to save and commit the configuration.

TEST VPN CONNECTION USING LOCAL AUTHENTICATION

1) Go to the portal using a web browser by FQDN or public IP.

2) Login to the portal by local authentication, which we created in the previous step.

3) Download and install the software as per your platform.

4) Test the VPN connectivity and make sure the VPN is working fine. In the next sections, we configure radius authentication.

5) Enter the IP address of the WAN interface for the VPN connection.

6) Enter the local Username/password and click Sign In.

7) Once connected, please check if you can access the internal system. If not, please check the security policies and NAT rules.

CONFIGURING RADIUS AUTHENTICATION

1) Go to Devices > Server profiles > RADIUS > Add.

2) Enter Friendly Name in the profile name—set Authentication protocol to PAP.

3) Add the Radius Server IP address, secret, which we have created in the RADIUS server configuration step. Click OK to save the configuration.

4) Goto Device > Authentication Profile > Add

5) Give a Friendly name, select Type to Radius and Server profile, which we have created in the previous step.

6) Click on Advanced and add all users in the Allowed section.

7) Click OK to save and configuration and Commit.

ASSOCIATE RADIUS AUTHENTICATION IN GP PORTAL AND GATEWAY

1) Go to network> Global Protect > Portals

2) Open the required portal and go to Authentication Tab

3) Click Add. Enter a friendly name, OS Any, Authentication Profile, which we have created in the previous section.

4) click, OK.

5) Move the RADIUS authentication to TOP.

6) Click OK to save the changes.

7) Go to network>  Global Protect > Gateways.

8) Edit already created a gateway profile and go to the Authentication section.

9) Repeat steps 3 – 6.

10) Save and commit the configuration.

ACCESS VPN USING UPSSO MFA

1) Go to the portal URL using a browser supported by Palo-Alto

2) Enter the username and password, which are configured in the UPSSO.

3) Enter the MFA  received in SMS, Email, or Google Authenticator.

4) Once logged in, download the required agent and install it.

5) In the client, enter username and password, which is configured in the UPSSO.

6) Enter the MFA received in SMS, Email, or Google Authenticator.

7) You are connected once the authentication is successful.