How to Install Duo Protection for Palo Alto SSO with Duo Access Gateway

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(upbeat music) - [Instructor] Hi, I'm Matt from Duo Security. In this video, I'm going to show you how to protect SSO logins to Palo Alto GlobalProtect using Duo's on-premises SSO product, Duo Access Gateway. This video will describe some of the necessary prerequisites for this configuration, and then show the setup process beginning with configuring your Palo Alto Networks SSO logins to work with Duo Access Gateway. Before watching this video, please read the documentation for this configuration at duo.com/docs/paloalto-sso. Note that in addition to GlobalProtect SSO logins, you can also protect SSO logins to the Captive Portal or Admin UI. By protecting your SSO Palo Alto logins with Duo, you will be able to take advantage of features including inline self-service enrollment, the Duo Prompt, Trusted Endpoints, and Duo's policy engine. Note that you can also protect Palo Alto SSO logins using Duo in tandem with services including Microsoft AD FS, Okta, OneLogin, CAS, and Shibboleth. Reference the documentation for information about those configurations. In addition, Duo offers a RADIUS-based method for protecting Palo Alto GlobalProtect VPN logins that uses our Authentication Proxy. You can learn about this configuration at duo.com/docs/paloalto. This video assumes that you have already deployed Duo Access Gateway, also known as DAG, on a server in your DMZ. The documentation for installing and configuring DAG is available at duo.com/docs/dag. In your DAG Authentication Source configuration, include the appropriate attributes for your Authentication Source. Since we are using Active Directory for this video, the attributes are mail and sAMAccountName. If you already have attributes listed in your Authentication Source configuration, be sure to append any of these two that are not present. Do not remove any that you have already added for your environment. In addition, before setting up Duo Protection for Palo Alto Networks SSO, download the XML metadata from the DAG admin console's applications page. The download link is located in the Metadata section and the file is named dag.xml. After getting these prerequisites in place, you are ready to configure your Palo Alto SSO to work with DAG. Log in to the Palo Alto management interface as an administrative user. At the top of the page, click the Device tab. On the left-hand side of the page, expand the Server Profiles section and select SAML Identity Provider. Click the Import button at the bottom of the page. In the Profile Name field, type in Duo Access Gateway Profile. Next to Identity Provider Metadata, click Browse. Select the dag.xml metadata file you downloaded from the DAG admin console. Uncheck the box next to Validate Identity Provider Certificate. Leave all other options at their default and click OK. The page will reload with the Duo Access Gateway Profile now listed in the SAML Identity Provider section. Next, add the Authentication Profile. On the left side of the page, select Authentication Profile. At the bottom of the page, click the Add button. In the Name field, type Duo Access Gateway. On the Authentication tab, in the Type dropdown, select SAML. Next to IdP Server Profile, click the dropdown and select Duo Access Gateway Profile. Next to Certificate for Signing Requests, click on the dropdown and select a certificate that will be used to sign SAML messages to DAG. In the Username Attribute field, type user.username. Click the Advanced tab and click Add. Select the All group. Click OK. In the top right side of the screen, click the Commit link. Review your changes and click Commit. Next configure the Palo Alto service you want to protect with DAG SSO. In this video, we will protect a GlobalProtect portal and gateway with SSO. Reference the documentation to learn how to protect the Captive Portal and Admin UI. In the Palo Alto management interface, click the Network tab at the top of the screen. On the left-hand side of the screen, expand GlobalProtect. Click Portals. Click on the name of the portal you want to add SSO login to. Click the Authentication tab. Select the Client Authentication configuration you want to apply SSO to, and then click the dropdown for the Authentication Profile. Select Duo Access Gateway. Click the Agent tab. Click the name of the Agent configuration you want to apply SSO to. On the Authentication page, next to Save User Credentials, click the dropdown and select Yes. Under the Authentication Override section, check the boxes next to Generate cookie for authentication override and Accept cookie for authentication override. Next to Cookie Lifetime, select how much time must pass before users are asked to authenticate again. For this example, we will use the default of 24 hours. Using the dropdown next to Certificate to Encrypt/Decrypt Cookie, select the appropriate certificate. Click OK, then click OK again to be taken back to the main screen. In the left side of the console under GlobalProtect, click Gateways. Select the Client Authentication configuration you want to apply SSO to. Click the Authentication tab. In the entry for your client authentication, click the dropdown for Authentication Profile and select Duo Access Gateway. Click on the Agent tab and click Client Settings. Click on the Gateway config you want to add SSO to. Under the Authentication Override section, check the boxes for Generate cookie for authentication override and Accept cookie for authentication override. Next to Cookie Lifetime, select how much time must pass before users are asked to authenticate again. We will again use the default of 24 hours. Next to Certificate to Encrypt/Decrypt Cookie, select the same certificate you chose previously. Click OK, then click OK again to be taken back to the main screen. Click Commit in the top right-hand side of the screen. Review your changes and click Commit. Now create the Palo Alto application in the Duo Admin Panel. Log in to the Duo Admin Panel. In the left sidebar, click Applications. Then click Protect an Application. In the search bar, type in saml palo alto. Next to the entry for the Palo Alto Application, click Protect this Application. On your new application's properties page, in the Domain field, enter the URL of your GlobalProtect server. Next to Palo Alto Networks Service, select GlobalProtect. Since we are not using any custom attributes, we do not need to check the Custom attributes box. Click Save Configuration to generate a downloadable configuration file. Click the Download your configuration file link to obtain your Palo Alto Networks application settings as a JSON file. Note that this file contains information that uniquely identifies this application to Duo. Secure this file as you would any other sensitive or password information. Return to the Applications page of the DAG Admin Console. In the Add Applications section of the page, click Choose File, and select the Palo Alto Networks SAML Application JSON file you downloaded from the Duo Admin Panel. Click the Upload button. Your SAML application is now added to DAG. Palo Alto Networks' embedded browser does not consistently keep the same user agent during the entire authentication. User agent binding must be disabled to avoid issues. In the DAG Admin Console, navigate to Settings. Under Session Management, uncheck the box next to User agent binding. Click Save Settings. Finally, verify that you have configured your settings correctly. Open your GlobalProtect VPN client and attempt to connect to your portal. A window will pop up redirecting you to the Duo Access Gateway Login page. Enter the primary directly logon information of a user enrolled in Duo. After completing primary authentication, the Duo Prompt for the Duo Access Gateway login appears. From the prompt, the enrolled user can select Send Me a Push, Call Me, or Enter a Passcode to complete two-factor authentication. In this example, we will use Duo Push as a user has already installed and activated Duo Mobile on their smartphone. They open the notification on their smartphone, check the contextual information to confirm the login is legitimate, and tap the green button to accept. You have successfully protected Palo Alto Networks SSO with Duo.
Info
Channel: Duo Security
Views: 4,021
Rating: undefined out of 5
Keywords: sso, palo alto, pa sso, duo sso, duo mfa, duo, duo security, palo alto 2fa, sso 2fa, duosec, duo access gateway, dag, yt:cc=on
Id: 021p4cItAP8
Channel Id: undefined
Length: 10min 46sec (646 seconds)
Published: Thu Mar 15 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.