Tutorial: DUO Multi-factor Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] greetings everyone my name is Mitch Tinsley and I'm here to show you today how to set up duo multi-factor authentication with a Palo Alto Networks firewall the first thing we want to do is start out in our duo dashboard which I've already got my account created within duo but I'm going to create a user account and this user name is going to match up with the username of my account that's going to be inside the Palo Alto Networks firewall so the first thing I'm going to do is create my user when a name and Mitch happens to be my name and then I'm going to set up an email account for this user save and then I'll send the enrollment email and then I'll come over here to my mobile device email will come in here in just a second as you can see my email just arrived I'll come down here and we'll start the process start to set up say this is my tablet I'm on Android and I do have dual mobile installed so I'll tell it I do right there okay now this is where because I'm on my tablet I can actually scan the same QR code okay so I'm going to have an activation link emailed to me instead for the same email there came in and I'll click the link open it and do a mobile and now the accounts been added so the mobile device portion is done so back in my duo panel now the next thing I need to do is add an application this will be the application representing the Palo Alto Networks firewall now if you look through the list there is a Palo Alto entry for the sslvpn we're going to use the same one even though we're not going to be implementing an SSL VPN multi-factor authentication in this particular demo the key thing now is done now I've got this integration key secret key and API hostname we'll come back to this in a moment what I need to do right now however is capture the SSL certificates from this duo web page so since I'm using Chrome nowadays you have to hit f12 in order to view the certificate what I want to see is the certificate your certification path I'm going to grab this top and this intermediate certificate and export them out to my PC and save them so that I can import them into the Palo Alto Networks firewall save both of these as base64-encoded we'll call this the we'll call this the route search next finish and then I'll click OK here and then I'll grab now the intermediate certificate and export him as well.they 64 encoded and I'll call this one intermediate all right that part is done so I can close that now we'll come over to the Palo Alto Networks firewall and I'm going to import those certificates that I just saved so import from certificates this one is going to be the route I'll call this duo's route and the next one I'm going to import is intermediate there we go perfect now that I have those two certificates imported now I'm going to add them to a certificate profile we'll call this do low service add in the route and I'll add in the intermediate and make sure that I don't have any spaces and I could go through and fill out the rest of the these options here but for this demo this is sufficient now in order for us to leverage the multi-factor authentication we're going to go to a policy and create an authentication policy which is essentially like a captive portal but for that captive portal page I'm going to need another certificate I'm going to call this my CP for captive portal cert okay and the common name I'll make the name or the IP address of my firewalls traffic interface that will be intercepting the the session from the user all right and this is going to be self signed I'll check certificate authority and then I'll click OK alright now that I've clicked ok so let's generate my certificate has been created now I'm going to add that certificate to an SSL TLS service profile and we'll call this our CP SSL for captive portal and I'll use my CP cert there excellent now what I want to do is add in I'm still in the device tab the multi-factor authentication for duo so we'll call this duo MFA I'll pick the certificate profile containing the duo certificates I'll be using duo version 2 and now it's asking me for this information that we saw on our dual portal a moment ago so I'm going to start with the API host which I'll pull from here next I'll go to the integration key and next I'll do my secret key everyone close your eyes really quickly good job you closed your eyes and I copied the key and I'll paste it in there and we'll click ok next down on the list I'm going to create a user account that matches my username in the dual portal so this will be Mitch and I do have to give in just an internal password now this doesn't have to be a local account you could use external accounts but for simplicity sake I'm using local now then I'm going to add that user to an authentication profile ok we'll call this local users and notice it'll reference the local database and now I'm going to come over here and add in some factors the factor I want to add is duo MSA the one I created just a moment ago ok and I specify which users will be allowed I'll say all from the local accounts database and click OK next thing we need to do now is configure the captive portal that will intercept the user session giving them the multi-factor authentication challenge so to do that we're going to go to user identification and we'll come over to the captive portal settings tab here will enable captive portal will pick our CP ssl/tls SS SL service profile and then our local users authentication profile next we're going to choose our mode as transparent or redirect transparent if your traffic is going through a layer 2 or a V wire interface since mine are going through layer three interfaces I'll choose redirect and my redirect host is going to be an interface IP address on my firewall there's something important here let's go look at that because this is an easy thing to overlook on this interface ok this is going to be my insight interface and you can see it's got that one 9.1 IP address I have to add an interface management profile and to this interface management profile make sure you have response pages turned on if you forget this the user will not get a page for the MFA challenge the next thing I need to do is come over to the objects tab scroll down we're going to create an authentication object alright and I'm going to call this duo challenge and the authentication method we're going to choose is going to be a webform and then the authentication profile is going to be my local users click OK the last thing now I'm going to do is come over to my policies tab and scroll down until I get to the authentication policy this is a new version 8.0 item all right now I'm going to add my rule and like any other policy within the Palo Alto Networks firewall it's got a name some source criterias and destination criteria and an action so we're going to call this MFA from test source and the source is on my inside network also be sure you enable user ID on the ingress zone his IP address is going to be 50 and we're just going to make him forcefully authenticate before he gets out to the web and we'll use our duo challenge here click OK and commit after the commit will test it up all right are committed finished now let's go test it open a browser on the system I want to force to authenticate go to our website oh and we've got this redirect let's see where it's taken us ok this certificate is got the same common name as the one I set up in my captive portal policy and sure enough look I've got this login required so let me type in my name and my password and I heard my Android just say hey look you have a login prompt I'll approve oh and it went away I'm going to do that one more time and confirm and now we'll come back and see dedication complete and we're at our website so there we showed you how to set up multi-factor authentication using duo how to set up the dual application how to secure the the Palo Alto firewall as an application within the dual portal and then also how to create certificates within the Palo Alto Networks firewall how to create SSL TLS profiles how to create a captive portal setup under the user ID section and then how to create an authentication policy and implement it I hope you found this tutorial helpful and informative and we'll see you next time bye
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 26,786
Rating: undefined out of 5
Keywords: MFA, DUO, multifactor authentication, 2-factor, authentication, captive portal
Id: 5kTOOHVE_-o
Channel Id: undefined
Length: 12min 26sec (746 seconds)
Published: Thu Apr 13 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.