How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- [Matt] Hi, I'm Matt from Duo Security. In this video, I'm going to show you how to protect your Palo Alto GlobalProtect VPN gateway with Duo two-factor authentication. This application uses RADIUS and the Duo Authentication Proxy. Before watching this video, please read the documentation for this configuration at duo.com/docs/paloalto. Note that in addition to this RADIUS-based configuration, you can also protect Palo Alto SSO logins with Duo. Read about the options for that configuration at duo.com/docs/paloalto-sso. Before setting up this Duo integration with Palo Alto, you must have a working primary authentication configuration for your SSL VPN users, such as LDAP authentication to Active Directory. To integrate Duo with your Palo Alto VPN, you will need to install a local proxy service on a machine within your network. Before proceeding, you should locate or set up system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems. In this video, we will use a Windows Server 2016 system. Note that this Duo proxy server also acts as a RADIUS server. There is no need to deploy a separate RADIUS server to use Duo. The Palo Alto device in this video is running PAN-OS 8.0.6. The instructions for installing Duo protection via RADIUS on devices running older versions of PAN-OS differs slightly from what is shown in this video. Reference the documentation for more information. On the system you are going to install the Duo Authentication Proxy on, log in to the Duo Admin Panel. In the left sidebar, navigate to Applications. Click Protect an Application. In the search bar, type palo alto. Next to the entry for Palo Alto SSL VPN, click Protect this Application. Note your integration key, secret key, and API hostname. You will need these later during setup. Near the top of the page, click the link to open the Duo documentation for Palo Alto. Next, install the Duo Authentication Proxy. In this video, we will use a 64-bit Windows Server 2016 system. We recommend a system with at least one CPU, 200 megabytes of disk space, and four gigabytes of RAM. On the documentation page, navigate to the Install the Duo Authentication Proxy section. Click the link to download the most recent version of the proxy for Windows. Launch the installer on the server as a user with administrator rights and follow the on-screen prompts to complete installation. After the installation completes, configure and start the proxy. For the purposes of this video, we assume that you have some familiarity with the elements that make up the proxy configuration file and how to format them. Comprehensive descriptions of each of these elements are available in the documentation. The Duo Authentication Proxy configuration file is named authproxy.cfg and is located in the conf subdirectory of the proxy installation. Run a text editor like WordPad as an administrator and open the configuration file. By default, the file is located in C:\Program Files (x86)\ Duo Security Authentication Proxy\conf\ Since this is a completely new installation of the proxy, there will be example content in the configuration file. Delete this content. First, configure the proxy for your primary authenticator. For this example, we will use Active Directory. Add an [ad_client] section to the top of the configuration file. Add the host parameter and enter the host name or IP address of your domain controller. Then add the service_account_username parameter and enter the username of a domain member account that has permission to bind to your AD and perform searches. Next, add the service_account_password parameter and enter the password that corresponds to the username entered above. Finally, add the search_dn parameter and enter the LDAP distinguished name of an AD container or organizational unit containing all of the users you wish to permit to log in. Additional optional variables for this section are described in the documentation. Next, configure the proxy for your Palo Alto GlobalProtect gateway. Create a [radius_server_auto] section below the [ad_client] section. Add the integration key, secret key, and API hostname from your Palo Alto application's properties page in the Duo Admin Panel. Add the radius_ip_1 parameter and enter the IP address of your Palo Alto GlobalProtect VPN. Below that, add the radius_secret_1 parameter and enter a secret to be shared between the proxy and your VPN. Add the client parameter and enter ad_client. Palo Alto does not send the client IP address using the standard RADIUS attribute Calling-Station-ID. A new RADIUS attribute containing the client IP address PaloAlto-Client-Source-IP was introduced in PAN-OS version 7. To send the PaloAlto-Client-Source-IP attribute to Duo, add the client_ip_attr parameter and enter paloalto. Additional optional variables for this [radius_server_auto] section are described in the documentation. Save your configuration file. Open an administrator command prompt and run net start DuoAuthProxy to start the proxy service. Next, configure your Palo Alto GlobalProtect gateway. First, we will add the Duo RADIUS server. Log in to the Palo Alto administrative interface. Click the Device tab. In the left sidebar, navigate to Server Profiles, RADIUS. Click the Add button to add a new RADIUS server profile. In the name field, enter Duo RADIUS. Increase the timeout to at least 30. We recommend using 60 if you are utilizing push or phone authentication, so we will use 60 in this example. In the dropdown for authentication protocol, select PAP. In the Servers section, click Add. In the Name field, enter Duo RADIUS. In the RADIUS Server field, enter the hostname or IP address of your Duo Authentication Proxy. In the Secret field, enter the RADIUS shared secret used in the authentication proxy configuration. Leave or set the port to 1812, as that is the default used by the proxy. If you used a different port during your Authentication Proxy setup, be sure to use that here. Click OK to save the new RADIUS server profile. Now add an authentication profile. In the left sidebar. Navigate to Authentication Profile. Click the Add button. In the Name field, enter Duo. In the Type dropdown, select RADIUS. In the Server Profile dropdown, select Duo RADIUS. Depending on how your users log in to GlobalProtect, you may need to enter your authentication domain name in the User Domain field. This is used in conjunction with the Username Modifier field. If the Username Modifier is left blank or is set to %USERINPUT%, then the user's input is unmodified. You can prepend or append the value of %USERDOMAIN% to preconfigure the username input. Learn more about both of these items in the GlobalProtect documentation hosted on Palo Alto's website, which is linked in the Duo documentation. Click the Advanced tab and click Add. Select the All group. Click OK to save the authentication profile. Next, configure your GlobalProtect gateway settings. In the Palo Alto administrative interface, click the Network tab. In the left sidebar, navigate to GlobalProtect, Gateways. Select your configured GlobalProtect gateway. Click the Authentication tab. In the entry for your Client Authentication in the Authentication Profile dropdown, select the Duo authentication profile you created earlier. If you are not using authentication override cookies on your GlobalProtect gateway, you may want to enable them to minimize Duo authentication requests at client reconnection during one gateway session. You will need a certificate to use with the cookie. Click on the Agent tab. Click the Client Settings tab. Click on the name of your configuration to open it. On the Authentication Override tab, check the boxes to generate and accept cookies for authentication override. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificate to use with the cookie. Click OK and then click OK again to save your gateway settings. Now configure your portal settings. If the GlobalProtect portal is configured for Duo two-factor authentication, users may have to authenticate twice when connecting to the GlobalProtect gateway agent. For the best user experience, Duo recommends leaving your GlobalProtect portal set to use LDAP or Kerberos authentication. If you do add Duo to your GlobalProtect portal, we also recommend that you enable cookies for authentication override on your portal to avoid multiple Duo prompts for authentication when connecting. In the Palo Alto administrative interface, from the Network tab, navigate to GlobalProtect, Portal. Click on your configured profile. Click the Authentication tab. In the entry for your client authentication, in the Authentication Profile dropdown, select the Duo authentication profile you configured earlier. Click on the Agent tab. Click on the entry for your configuration. On the Authentication tab, in the Authentication Override section, check the boxes to generate and accept cookies for authentication override. Enter a Cookie Lifetime. In this example, we will use eight hours. Select a certificate to use with the cookie. Click OK and then click OK again to save your gateway settings. To make your changes take effect, click the Commit button in the upper-right corner of the Palo Alto administrative interface. Review your changes and click Commit again. Now finish configuring your Palo Alto device to send the client IP to Duo. Connect to the Palo Alto device administration shell. Using the command from step one of the client IP reporting section of the Duo for Palo Alto documentation, enable sending the Palo Alto client source IP client IP attribute. After installing and configuring Duo for your Palo Alto GlobalProtect VPN, test your setup. Using a username that has been enrolled in Duo and that has activated the Duo Mobile application on a smartphone, attempt to connect to your VPN with your GlobalProtect gateway agent. You will receive an automatic push on the Duo Mobile app on your smartphone. Open the notification, check the contextual information to confirm the login is legitimate, approve it, and you are logged in. Note that you can also append a form factor to the end of your password when logging in to use a passcode or manually select a two-factor authentication method. Reference the documentation for more information. You have successfully set up Duo for your Palo Alto GlobalProtect gateway.
Info
Channel: Duo Security
Views: 16,384
Rating: undefined out of 5
Keywords: palo alto, pa 2fa, duo security, duo, duosec, two factor, 2fa, paloalto, globalprotect, pa vpn, duo push, duo 2fa, vpn 2fa, vpn, yt:cc=on
Id: XdUfLzLK_5A
Channel Id: undefined
Length: 13min 24sec (804 seconds)
Published: Thu Mar 29 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.