How to Install Duo Security 2FA for Palo Alto GlobalProtect VPN (RADIUS Configuration

VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.

Hi, I am Matt from Duo Stability.

Within this video clip, I am goingto provide you with how to safeguard your Palo Alto GlobalProtect VPN gateway with Duo two-element authentication.

This application uses RADIUS and the Duo Authentication Proxy.

Ahead of observing this video clip, make sure you read the documentationfor this configuration at duo.

com/docs/paloalto.

Take note that Together with thisRADIUS-based mostly configuration, You may as well shield PaloAlto SSO logins with Duo.

Read about the optionsfor that configuration at duo.

com/docs/paloalto-sso.

Ahead of setting up this Duointegration with Palo Alto, you should have a Doing work primaryauthentication configuration for your personal SSL VPN end users, for instance LDAP authenticationto Active Directory.

To combine Duo using your Palo Alto VPN, you have got to installa community proxy assistance over a device within your network.

Ahead of continuing, you shouldlocate or build program on which you will installthe Duo Authentication Proxy.

The proxy supportsWindows and Linux devices.

During this video clip, We are going to use aWindows Server 2016 technique.

Note this Duo proxy server also functions for a RADIUS server.

There is not any really need to deploya independent RADIUS server to make use of Duo.

The Palo Alto device in thisvideo is operating PAN-OS eight.

0.

6.

The Recommendations for installingDuo protection by means of RADIUS on gadgets runningolder versions of PAN-OS differs a little bit from whatis demonstrated In this particular video clip.

Reference the documentationfor more details.

About the method you are likely to set up the Duo Authentication Proxy on, log in towards the Duo Admin Panel.

Within the remaining sidebar, navigate to Programs.

Simply click Defend an Software.

Within the search bar, sort palo alto.

Next to the entry for Palo Alto SSL VPN, simply click Guard this Software.

Be aware your integration crucial, key critical, and API hostname.

You will require these later on during set up.

Close to the major on the web site, simply click the link to open the Duodocumentation for Palo Alto.

Upcoming, set up the DuoAuthentication Proxy.

In this particular video clip, We'll utilize a 64-bit Home windows Server 2016 technique.

We endorse a systemwith a minimum of a single CPU, two hundred megabytes of disk Area, and four gigabytes of RAM.

Within the documentation page, navigate on the Install the DuoAuthentication Proxy portion.

Click the backlink to downloadthe most up-to-date Variation on the proxy for Home windows.

Start the installer on the server for a person with administrator legal rights and Adhere to the on-monitor promptsto comprehensive installation.

Following the installation completes, configure and start the proxy.

For your functions of this movie, we assume you have some familiarity with the elements which make upthe proxy configuration file and the way to format them.

Detailed descriptionsof Every of such elements can be found in the documentation.

The Duo AuthenticationProxy configuration file is named authproxy.

cfg and is found while in the conf subdirectoryof the proxy set up.

Run a text editor likeWordPad being an administrator and open the configuration file.

By default, the file is found in C:Program Data files (x86) Duo Stability Authentication Proxyconf Because it is a completelynew set up in the proxy, there will be case in point contentin the configuration file.

Delete this content.

Initially, configure the proxy foryour Major authenticator.

For this instance, we willuse Energetic Directory.

Insert an [ad_client] part to the best of the configuration file.

Increase the host parameterand enter the host name or IP deal with of the area controller.

Then incorporate theservice_account_username parameter and enter the username ofa domain member account which has authorization to bind toyour Advertisement and carry out lookups.

Upcoming, add theservice_account_password parameter and enter the password that corresponds to your username entered above.

At last, include the search_dn parameter and enter the LDAP distinguishedname of the Advertisement container or organizational unit that contains each of the usersyou would like to permit to log in.

Extra optionalvariables for this part are explained from the documentation.

Subsequent, configure the proxy for your personal Palo Alto GlobalProtect gateway.

Develop a [radius_server_auto] area underneath the [ad_client] section.

Include The mixing important, top secret essential, and API hostname out of your Palo Altoapplication's Attributes webpage inside the Duo Admin Panel.

Incorporate the radius_ip_1 parameterand enter the IP deal with within your Palo Alto GlobalProtect VPN.

Beneath that, add theradius_secret_1 parameter and enter a mystery to get shared among the proxy and your VPN.

Include the shopper parameterand enter ad_client.

Palo Alto isn't going to sendthe customer IP tackle using the typical RADIUSattribute Contacting-Station-ID.

A brand new RADIUS attributecontaining the shopper IP tackle PaloAlto-Customer-Resource-IP was introduced in PAN-OS Variation 7.

To ship the PaloAlto-Consumer-Supply-IPattribute to Duo, include the client_ip_attrparameter and enter paloalto.

Supplemental optional variables for this [radius_server_auto] section are described during the documentation.

Help you save your configuration file.

Open an administratorcommand prompt and operate net start off DuoAuthProxy tostart the proxy provider.

Subsequent, configure your PaloAlto GlobalProtect gateway.

Initially, We'll incorporate the Duo RADIUS server.

Log in to the Palo Altoadministrative interface.

Simply click the System tab.

While in the left sidebar, navigateto Server Profiles, RADIUS.

Simply click the Include button to adda new RADIUS server profile.

From the name field, enter Duo RADIUS.

Improve the timeout to no less than thirty.

We suggest using 60 For anyone who is utilizing force or telephone authentication, so we will use 60 in this instance.

While in the dropdown for authenticationprotocol, pick out PAP.

Within the Servers part, click on Include.

While in the Title industry, enter Duo RADIUS.

Within the RADIUS Serverfield, enter the hostname or IP address of yourDuo Authentication Proxy.

In the Secret area, enterthe RADIUS shared key Employed in the authenticationproxy configuration.

Leave or established the port to 1812, as that's the default used by the proxy.

When you used a different port throughout your Authentication Proxy setup, be sure you use that here.

Click Alright to save lots of the newRADIUS server profile.

Now increase an authentication profile.

Within the still left sidebar.

Navigateto Authentication Profile.

Simply click the Increase button.

In the Identify field, enter Duo.

In the Type dropdown, pick out RADIUS.

Inside the Server Profiledropdown, decide on Duo RADIUS.

According to how your userslog in to GlobalProtect, you might have to enter yourauthentication domain title in the Person Area industry.

This is used together with the Username Modifier industry.

In case the Username Modifieris remaining blank or is about to %USERINPUT%, then theuser's enter is unmodified.

You may prepend or appendthe value of %USERDOMAIN% to preconfigure the username input.

Learn more about both equally of this stuff in the GlobalProtect documentation hosted on Palo Alto's website, and that is linked within the Duo documentation.

Click on the Advanced tab and click Insert.

Choose the All team.

Click Okay to save theauthentication profile.

Future, configure yourGlobalProtect gateway configurations.

Inside the Palo Alto administrative interface, click on the Community tab.

In the remaining sidebar, navigateto GlobalProtect, Gateways.

Decide on your configuredGlobalProtect gateway.

Simply click the Authentication tab.

While in the entry for yourClient Authentication within the Authentication Profile dropdown, select the Duo authenticationprofile you designed earlier.

If you are not usingauthentication override cookies on the GlobalProtect gateway, you may want to allow them to attenuate Duo authentication requests at customer reconnectionduring just one gateway session.

You'll need a certificateto use While using the cookie.

Click the Agent tab.

Click on the Consumer Configurations tab.

Click on the title of yourconfiguration to open up it.

On the Authentication Override tab, Verify the boxes togenerate and take cookies for authentication override.

Enter a Cookie Life time.

In this instance, We're going to use 8 hrs.

Pick out a certificateto use While using the cookie.

Click on OK and after that simply click OK all over again to save lots of your gateway configurations.

Now configure your portal configurations.

Should the GlobalProtect portal is configured for Duo two-element authentication, consumers can have to authenticate two times when connecting to theGlobalProtect gateway agent.

For the top person knowledge, Duo endorses leavingyour GlobalProtect portal set to use LDAP orKerberos authentication.

If you are doing add Duo to yourGlobalProtect portal, we also recommend which you enable cookies for authentication override on the portal to prevent a number of Duoprompts for authentication when connecting.

Inside the Palo Alto administrative interface, from the Network tab, navigateto GlobalProtect, Portal.

Click your configured profile.

Click the Authentication tab.

During the entry for yourclient authentication, inside the Authentication Profile dropdown, select the Duo authentication profile you configured previously.

Click the Agent tab.

Click on the entry to your configuration.

Around the Authentication tab, within the Authentication Override part, check the packing containers togenerate and settle for cookies for authentication override.

Enter a Cookie Lifetime.

In this instance, we will use 8 hours.

Select a certificateto use With all the cookie.

Click on OK and after that click Alright all over again to save your gateway options.

To make your modifications acquire result, click on the Commit buttonin the upper-right corner on the Palo Alto administrative interface.

Assessment your changesand simply Helpful resources click Dedicate yet again.

Now complete configuringyour Palo Alto unit to ship the shopper IP to Duo.

Connect with the Palo Altodevice administration shell.

Using the command fromstep one of several consumer IP reporting area on the Duofor Palo Alto documentation, help sending the PaloAlto consumer supply IP consumer IP attribute.

Immediately after installing and configuring Duo for your personal Palo Alto GlobalProtectVPN, take a look at your set up.

Using a username thathas been enrolled in Duo and which includes activatedthe Duo Mobile software with a smartphone, attemptto connect with your VPN along with your GlobalProtect gateway agent.

You are going to obtain an automaticpush to the Duo Cellular application with your smartphone.

Open up the notification, checkthe contextual facts to substantiate the login is respectable, approve it, therefore you are logged in.

Note that you could alsoappend a sort issue to the end of yourpassword when logging in to utilize a passcode or manually pick out a two-factorauthentication system.

Reference the documentationfor more information.

You have correctly setup Duo for your personal Palo Alto GlobalProtect gateway.