How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration)

-[ Matt] Hi, I’m Matt from Duo Security. In this video, I’m goingto show you how to protect your Palo Alto GlobalProtect VPN gateway with Duo two-factor authentication. This application squanders RADIUS and the Duo Authentication Proxy. Before watching this video, satisfy read the documentationfor this configuration at docs/ paloalto. Note that in addition to thisRADIUS-based configuration, you can also protect PaloAlto SSO logins with Duo. Read about the optionsfor that configuration at docs/ paloalto-sso. Before setting up this Duointegration with Palo Alto, you must have a working primaryauthentication configuration for your SSL VPN useds, such as LDAP authenticationto Active Directory.To integrate Duo with your Palo Alto VPN, you will need to installa neighbourhood agent work on a machine within your system. Before proceeding, you shouldlocate or set up system on which you are able to installthe Duo Authentication Proxy. The agent supportsWindows and Linux methods. In this video, we will use aWindows Server 2016 structure. Note that this Duo proxy server too acts as a RADIUS server. There is no need to deploya separate RADIUS server to use Duo. The Palo Alto device in thisvideo is running PAN-OS 8.0.6. The instructions for installingDuo protection via RADIUS on devices runningolder versions of PAN-OS differs somewhat from whatis shown in this video. Reference the documentationfor more information. On the system you are going to install the Duo Authentication Proxy on, log in to the Duo Admin Panel. In the left sidebar, navigate to Lotions. Click Protect an Application. In the search bar, sort palo alto. Next to the entry for Palo Alto SSL VPN, click Protect this Application.Note your integration key, confidential key, and API hostname. You will need these last-minute during setup. Near the top of the sheet, sound the link to open the Duodocumentation for Palo Alto. Next, install the DuoAuthentication Proxy. In this video, we will use a 64 -bit Windows Server 2016 structure. We recommend a systemwith at least one CPU, 200 megabytes of saucer opening, and four gigabytes of RAM. On the documentation page, navigate to the Install the DuoAuthentication Proxy section. Click the link to downloadthe most recent version of the proxy for Windows.Launch the installer on the server as a user with executive rights and follow the on-screen promptsto complete installation. After the installing completes, configure and start the proxy. For the purposes of this video, we assume that you have some familiarity with the elements that make upthe proxy configuration file and how to format them. Comprehensive descriptionsof each of these elements are available in the documentation. The Duo AuthenticationProxy configuration file is mentioned authproxy.cfg and is located in the conf subdirectoryof the agent facility. Run a text editor likeWordPad as an administrator and open the configuration file.By default, the register is located in C :\ Program Files( x86 )\ Duo Security Authentication Proxy \ conf \ Since this is a completelynew installation of the proxy, there will be example contentin the configuration file. Delete this material. First, configure the agent foryour primary authenticator. For this precedent, we willuse Active Directory. Add an[ ad_client] section to the top of the configuration file. Add the legion parameterand enroll the legion epithet or IP address of your domain controller. Then lent theservice_account_username parameter and penetrate the username ofa domain member account that has permission to bind toyour AD and play-act pursuings. Next, add theservice_account_password parameter and open the password that corresponds to the username participated above. Lastly, add the search_dn parameter and participate the LDAP distinguishedname of an AD container or administrative section containing all of the usersyou wish to permit to log in. Additional optionalvariables for this section are described in the documentation. Next, configure the agent for your Palo Alto GlobalProtect gateway. Create a[ radius_server_auto] area below the[ ad_client] section.Add the integration key, confidential key, and API hostname from your Palo Altoapplication’s properties page in the Duo Admin Panel. Add the radius_ip_1 parameterand enter the IP address of your Palo Alto GlobalProtect VPN. Below that, add theradius_secret_1 constant and recruit a secret to be shared between the proxy and your VPN. Add the client parameterand enter ad_client. Palo Alto does not sendthe client IP address working the standard RADIUSattribute Calling-Station-ID. A new RADIUS attributecontaining the client IP address PaloAlto-Client-Source-IP was introduced in PAN-OS account 7. To send the PaloAlto-Client-Source-IPattribute to Duo, computed the client_ip_attrparameter and penetrate paloalto. Additional optional variables for this[ radius_server_auto] segment are defined in the documentation.Save your configuration file. Open an administratorcommand prompt and pass net start DuoAuthProxy tostart the proxy service. Next, configure your PaloAlto GlobalProtect gateway. First, the authorities concerned will included the Duo RADIUS server. Log in to the Palo Altoadministrative interface. Click the Device tab. In the left sidebar, navigateto Server Profiles, RADIUS. Click the Add button to adda brand-new RADIUS server chart. In the mention realm, penetrate Duo RADIUS. Increase the timeout to at least 30. We recommend abusing 60 if you are utilizing push or phone authentication, so we will use 60 in this example.In the dropdown for authenticationprotocol, hand-picked PAP. In the Servers section, clink Add. In the Name field, open Duo RADIUS. In the RADIUS Serverfield, participate the hostname or IP address of yourDuo Authentication Proxy. In the Secret field, enterthe RADIUS shared secret used in the authenticationproxy configuration. Leave or rectify the port to 1812, as that is the default used by the proxy. If you used a different port during your Authentication Proxy setup, be sure to use that now. Click OK to save the newRADIUS server chart. Now contributed an authentication sketch. In the left sidebar. Navigateto Authentication Profile. Click the Add button. In the Name field, penetrate Duo. In the Type dropdown, hand-picked RADIUS. In the Server Profiledropdown, adopt Duo RADIUS. Depending on how your userslog in to GlobalProtect, you may need to enter yourauthentication domain name in the User Domain field. This is used in conjunction with the Username Modifier field. If the Username Modifieris left blank or was in accordance with% USERINPUT %, then theuser’s input is unmodified.You can prepend or appendthe value of% USERDOMAIN% to preconfigure the username input. Learn more about both of these pieces in the GlobalProtect documentation hosted on Palo Alto’s website, which is linked in the Duo documentation. Click the Advanced tab and sounds Add. Select the All group. Click OK to save theauthentication sketch. Next, configure yourGlobalProtect gateway aims. In the Palo Alto administrative boundary, clink the Network tab. In the left sidebar, navigateto GlobalProtect, Gateways. Select your configuredGlobalProtect gateway. Click the Authentication tab. In the entry for yourClient Authentication in the Authentication Profile dropdown, hand-picked the Duo authenticationprofile you established earlier. If you are not usingauthentication override cookies on your GlobalProtect gateway, you may want to enable them to minimize Duo authentication requests at client reconnectionduring one gateway session.You will be required a certificateto use with the cookie. Click on the Agent tab. Click the Client Settings tab. Click on the call of yourconfiguration to open it. On the Authentication Override tab, check the boxes togenerate and professed cookies for authentication overrule. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificateto use with the cookie. Click OK and then click OK again to save your gateway adjusts. Now configure your entrance arranges. If the GlobalProtect portal is configured for Duo two-factor authentication, consumers may have to authenticate twice when connecting to theGlobalProtect gateway operator. For the best user experience, Duo recommends leavingyour GlobalProtect portal set to use LDAP orKerberos authentication.If you do add Duo to yourGlobalProtect portal, we too suggested that you enable cookies for authentication supersede on your portal to avoid multiple Duoprompts for authentication when connecting. In the Palo Alto administrative interface, from the Network tab, navigateto GlobalProtect, Portal. Click on your configured profile. Click the Authentication tab. In the entry for yourclient authentication, in the Authentication Profile dropdown, hand-picked the Duo authentication profile you configured earlier. Click on the Agent tab. Click on the entry for your configuration. On the Authentication tab, in the Authentication Override section, check the boxes togenerate and accept cookies for authentication override. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificateto use with the cookie. Click OK and then click OK again to save your gateway settleds. To procreate your changes take effect, clink the Commit buttonin the upper-right corner of the Palo Alto administrative boundary. Review your changesand click Commit again. Now finish configuringyour Palo Alto device to send the client IP to Duo. Connect to the Palo Altodevice administration shell.Using the require fromstep one of the client IP reporting section of the Duofor Palo Alto documentation, enable transport the PaloAlto client source IP client IP attribute. After installing and configuring Duo for your Palo Alto GlobalProtectVPN, research your setup. Using a username thathas been enrolled in Duo and that has activatedthe Duo Mobile application on a smartphone, attemptto is attached to your VPN with your GlobalProtect gateway agent.You looked forward to receiving an automaticpush on the Duo Mobile app on your smartphone. Open the notification, checkthe contextual information to confirm the login is legitimate, endorse it, and you are logged in. Note that you can alsoappend a assemble point to the end of yourpassword when logging in to use a passcode or manually select a two-factorauthentication method. Reference the documentationfor more information. You have successfully set up Duo for your Palo Alto GlobalProtect gateway ..

You May Also Like