Tutorial: Okta Multifactor Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] greetings everyone my name is Mitch Stanley with the Palo Alto Networks education delivery department and today I'm here to show you a tutorial on how to set up multi-factor authentication within a Palo Alto Networks firewall using Aqsa first thing we're going to do in the octave portal is create a user and enroll them as well as add an application and assign that user to that application then we're going to make note of several key components namely the API address a secret token and our particular organization sub domain and I'll show you how to find those next we'll take a capture of the octa certificates that are running on the octave portal as well as the root certificate above that octave certificate we'll import those into our firewall then we'll create a captive portal certificate which we'll use later to set up the captive portal window and how to secure traffic from users to that captive portal window for the purposes of authentication then we'll create a certificate profile containing those octa certificates we imported earlier next we'll create an authentication server profile for multi factor that contains octa next we'll create an SSL TLS service profile with that captive profile captive portal certificate then we'll create a user in the firewall matching the same username and password that was created in the octopus now if you're using Active Directory and more of an enterprise environment you probably wouldn't create local user accounts like I'm going to do in this tutorial you would reference via LDAP Active Directory accounts or some other directory of users which the firewall can reference and then also can those user accounts can be added into the octave portal next we'll create an authentication and we'll add octa as an mfa factor then when the user ID section will set up our captive portal settings which would contain the SSL TLS service profile we created earlier as well as the authentication profile and then we'll set up redirect now captive portal supports two different modes one being transparent the other being redirect redirect you would use if users traffic is coming from layer three interfaces transparent you would use if users traffic is coming across a layer two or a virtual wire interface however captive portal multi-factor authentication is not supported in transparent mode only redirect modes so keep that in mind as you're designing this next we'll make sure the interface that the user traffic is coming in on has response pages turned on in an interface management profile we'll enable user ID on the zone that has the users traffic coming into the firewall will create an authentication object then we'll create an authentication policy rule referencing that object and then we'll test it out to set the stage here I want you to see this network diagram essentially we have a firewall in the middle a user on the left and the user wants to browse to a server inside of our DMZ however this server does not have secure authentication just HTTP so we're going to perform authentication step up using the firewall to force the user to browse over SSL then and that's where the redirect comes in then authenticate first to the firewall the firewall then we'll issue user a multi-factor challenge it will pass that to the octa servers the okto servers then forward that to the users mobile device the user satisfies the challenge on the mobile device octa then sends the firewall back the go ahead and the users traffic is then redirected through the firewall to the native address of the server in the DMZ to user was trying to go through right here we are in the octave portal now I'm not going to be able to show you everything there is to know about this portal but I'm going to hit a couple highlights first thing I want to do is add an application and the application we're going to look for is called octa verify now this stage you wants to assign some users but I'm going to do that later so I'm just going to next under directory I'm going to go to people and I'm going to add a user or a person you and I want to send the activation email and I'll say next I can open up that account and assign this person to the octave verify application something I also forgot to I want to assign this user to a particular group called test users now under security you've got several things you could set up I'm not going to go through all of them but I'm going to scroll through really quickly so you can kind of see how I've got mine set up currently [Music] now I have created an MFA test policy for my test users which is now active which because it's based on a group and my user I just created belongs to this group that's now applicable to that person as well and this will be a nice nice way for us to test that the multi-factor authentication push is working when the user tries to log into the octa-core ttle and we'll do this long before we actually set up the multi-factor authentication in the Palo Alto Networks firewall just to make sure that that the client and the push and the mobile app are all working as we expect just to rule out any potential problems all right next what we want to do is come down here to the mocha factor section all right we see we've got off to verify enabled and the push notification and under local factor policies we have an MFA off policy for octave verify with push assigned to my test users and one thing I do want to change here is this rule I'm going to edit it make it so that the user is enrolled in multi-factor the first time they sign into octa alright now under security we're going to come down here to API and then tokens and we're going to create a token that authenticates the Palo Alto Networks viral as it talks to the octave portal also we need to record our URL to the octave portal I'll just save this here and then the sub domain is basically going to be this everything right up until octa whatever it is so that's mine and the token let's create that now and we'll copy this token down you only get to see the token once so put it someplace secure so you can add it later before we check the user I want to do one more thing and I want to capture the certificates above this octopus so since I'm using Chrome I have to hit f12 and then over-under security when a view certificate and here I can see this particular certificate I'm going to copy it to file Palo Alto Networks requires certificates being base64 encoding I'm going to put this in my downloads octa certs folder we'll call this aqua calm next I'm going to come to certification path select the intermediate certificate we'll do the same thing or moons all right let's see how what our user receives okay so our user got an email from octa activate the users it can password all right after creating the users password and putting in a security question we're prompted to set up multi-factor authentication based on that rule we had set up earlier so I want to configure my factor I've already got my device type selected and I've already downloaded the octave verify app so I'm just going to click Next all right and I don't have the ability to scan the barcode so I wanted to send me an activation link via email [Music] and then I'll just go back to my email linked here which then enrolls my device alright once you see this all counting down that means everything is pretty much set up right let's test it shall we okay I'll send the push and then approve and I'm logged in so this confirmed that we have our user created the user has a mobile device set up properly and the push is working properly so now let's move over and configure the Palo Alto Networks firewall to do the multi-factor authentication push ok so we've logged into the Palo Alto Networks firewall now and the first thing we want to do is import those certificates from octa so I'm going to come in and click import we're going to call this the octave com certificate we'll browse for it and then click ok we're going to import now the intermediate and then lie we will import the route all right when you see the three kind of laid out like this we know we're in a good state the next thing we need to do is generate a certificate to be used for our captive portal so I'll call this my CP - cert the common name could be either an IP address of the traffic interface that your users would be browsing through or it could be a DNS name I'm going to use an IP address just to keep things simple now because this will be a self-signed certificate I would click certificate authority however in an enterprise environment if you have your own PKI you will be strongly encouraged that you instead generate a certificate signing request then export that CSR have a certificate generated based on the CSR by your PKI or your certificate authority person and then re-import that certificate matching the exact same name to Mary at the private key which will only be stored in the firewall with the certificate generated by your your external Authority but for now I'm just going to keep this simple as certificate authority next thing I want to do we can add some different attributes if we want really just to help users understand you know who's responsible for the certificate where it came from one thing to keep in mind hostname and IP are subject alternate names so if you put in a DNS name here you can always populate the IP as well to make sure that the URL the address the users are browsing to matches either the subject alternate name or the common name of the certificate for now I'm going to leave these blank and simply is generated alright now that's been created the next thing I want to create is a certificate profile that contains those digi cert certificates so I'm going to call this simply octa certs and then add in both of those two digi cert route and digi cert intermediate now there's a lot of settings you can apply here however I'm going for simplest just for this tutorial so that's sufficient the next thing I want to do is use that captive portal certificate I created and I'll put this into an SSL TLS service profile which will call this CP - TLS and the certificate we choose is going to be arson pit cert and then we could specify a higher TLS version if we want but I'm just going to keep it simple click OK next we're going to scroll down and the server profile section you'll see multi fact draw syndication we're going to click Add here and we're going to call this our octa MSA we're going to reference the octave search certificate profile we created and then this will be of the octa adaptive type now it's asking for an API host we recorded this earlier as URL we copy that then our token then we sub-domain quick okay now we're going to add the user account to the firewall in an enterprise environment you would probably be better off to reference Active Directory accounts via LDAP and add that in via the LDAP server profile then create an authentication profile referencing this LDAP profile however I'm going to keep things simple and use merely local accounts I'm going to make this local account match the account name I created with an octa however notice I can only use a simple username I can't use the full email address or UPN username so I'm just going to do what I can which is that match the password click OK next I'm going to come up and create an authentication profile this will reference our local database I'm going to call this octa ah under factors we're going to check this new box enable additional factors we're going to add in our octa NMFA that we created earlier we'll go to advanced and then add in that operator or that firewall operator user we created just a moment ago and click OK next let's go set up our captive portal under user identification captive portal we'll click the gear here we'll reference first off our SSL TLS service profile we created earlier the authentication profile we just created now we have two options of mode transparent a redirect transparent is only useful for layer 2 traffic or V wire traffic however multi-factor authentication will not work for the transparent mode at this time so for multi-factor authentication we must use redirect and then provide a firewall interface IP address to redirect the users to to satisfy the authentication challenge and then they'll be redirected back to their intended destination so I'm going to put in the same IP address that matches my captive portal certificates common name I'll click okay then I'm going to come over to the network tab and this IP address you see matches here Ethernet one two this is where the user is going to be coming from I have to assign an interface management profile to this interface and this interface management profile must have response pages turned on for future troubleshooting simplicity I'm also going to add ping so we'll call this paying underscore ISP for response pages click ok all right now you see also that this interface is assigned to my trust zone so the zone of trust must have enable user identification turned on click OK we're nearly there next I'm going to come over to objects scroll down find the authentication object add in a new authentication enforcement profile we'll call this octa MFA - web form and we're going to reference that authentication profile we created earlier and the authentication method in this case is going to be a webform we'll click OK the last thing we do is go to policies we're going to scroll down until we see authentication policy and we're going to create a policy for to perform authentication step up to our dmg server so we'll call this off step up for DMV server and this is going to be for traffic coming from my trust zone going to my DMZ zone and the traffic I could specify service HTTP or HTTPS or add in additional services however I'm going to keep it simple and leave it as just service HTTP because the server in question only supports HTTP and we want to perform secure authentication before the user gets to that so we'll click actions now and then our authentication enforcement we're going to choose our octa MSA webform click OK and commit next thing to do is to test it all out alright our commit is finished so let's test it here I've got my client just going to open a browser go to the website in question notice we get redirected to the interface address on the firewall since we're using a self-signed certificate the browser doesn't trust it but if you generated one using your corporate PKI that would hopefully be trusted now will authenticate us firewall operator provide our password secondary authentication in progress there's the prompt to authenticate I approve and there we go the remote system did connect as we expected and our mobile device help to stop indicate so just to recap the steps we create an enroll user in the octave portal then we with then off to add an application and assign a user we record the API address secret token as well as my sub domain export the octave certificates to a folder and then import them into the Palo Alto Networks firewall create a captive portal certificate create a certificate profile containing the octave certificate then create a multi-factor authentication server profile create an SSL TLS profile for the street captive portal certificate create and add a user inside of the firewall create an authentication profile and add octa MFA as the factor for that authentication profile set up the captive portal essentially secure the traffic using the SSL TLS profile which contains the captive portal certificate we created earlier reference the authentication profile we created earlier set it up to redirect so that the users traffic goes to their nearest firewall interface make sure that that particular interface has response pages turned on enable user ID on the zone where the traffic is coming in to create an authentication object with the action of webform then create an authentication policy to match the traffic and then reference that authentication object we created and then test it I hope you enjoyed this video and learned a lot thank you so much we'll see you again soon
Info
Channel: Palo Alto Networks LIVEcommunity
Views: 21,271
Rating: undefined out of 5
Keywords: MFA, Okta, multifactor authentication, 2-factor, authentication, captive portal
Id: wInjTPmVjdg
Channel Id: undefined
Length: 21min 54sec (1314 seconds)
Published: Thu Jul 13 2017
Related Videos
Okta Identity Management - SSO, MFA, and Password Reset
Network Consulting Services, inc.
22K
Okta vs Azure AD Identity Provider - The End-User Experience
Brian Cheatham
25K
PCNSE Prep - Authentication Policy with Multi-Factor Authentication
Palo Alto Networks LIVEcommunity
10K
Check Point CloudGuard for AWS Deep Dive - TechTalk
Shay Levin
2.2K
Okta API & MFA Demo
OktaDev
32K
Oktane19: Roadmap Okta Security, the Path to Zero Trust
Okta
1.2K
Oktane18: Bringing It All Together -- Okta, HR, and Your Directories
Okta
1.4K
Closing the gaps in User-ID (Episode 1) Learning Happy Hour
Palo Alto Networks LIVEcommunity
3.4K
React SAML Authentication with Typescript
The Nerdy Canuck
5.2K
Palo Alto Networks Global Protect Using Google Workspace as a SAML IdP
LearningForFun
1.7K
Anyconnect with Okta SAML & ISE Posture thru Radius Authorization
Ciscolive Security Fan
2.9K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.