article Nominated Discussion: Configure a second DUO for PA firewall MFA in General Articles

article Nominated Discussion: Configure a second DUO for PA firewall MFA in General Articles https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-configure-a-second-duo-for-pa-firewall-mfa/ta-p/540908 <P>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/configure-second-duo-for-pa-firewall-mfa/m-p/539953" target="_blank" rel="noopener">Configure second DUO for PA firewall MFA</A> " by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/166658">@boblin</a> and responded to by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> , <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a> , <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>. Read on to see the discussion and solution! Make sure to check out the document <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/166658">@boblin</a> created and linked at the bottom to assist other users !</P> <P> </P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>We have configured a DUO Proxy server for PA firewall MFA and it works. We also configured the second DUO proxy server for redundancy. However, we don't know how to configure PA firewall to fail-over to the second DUO in a case the primary DUO proxy server is down. Any help?</P> </BLOCKQUOTE> <P> </P> <P>You need to add auth sequence under <STRONG>"Device > Authentication Sequence"</STRONG></P> <P>Add both RADIUS profiles there. Configure GlobalProtect auth to use previously configured sequence.</P> <P>Check how many retries and timeout your RADIUS profiles have configured under <STRONG>"Device > Server Profiles > RADIUS"</STRONG>.</P> <P> </P> <P>Let's assume that you have 2 attempts with 20 seconds timeout.</P> <P>This leaves 20 seconds for secondary RADIUS server as GlobalProtect will time out in 60 seconds by default.</P> <P> </P> <P>You might want to extend GP timeout.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMD5CAO" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMD5CAO</A></P> <P> </P> <P> </P> <BLOCKQUOTE> <P>Is it possible to configure active/active or balance? If so how to do it?</P> </BLOCKQUOTE> <P> </P> <P>The easiest way to configure redundancy for the same protocol is to add multiple servers in the RADIUS Server Profile. However, this will not load balance. The NGFW will try each one from the top down.  <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqECAS" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqECAS</A></P> <P> </P> <P> </P> <BLOCKQUOTE> <P>I have configured the second DUO proxy server, but it doesn't work. To troubleshooting, what would you do? Perhaps, where I can check the logs?</P> <P> </P> <P>I find authproxy.log and it shows:</P> <P>2023-04-26T15:56:36.843265-0500 [duoauthproxy.lib.log#info] Duo Security Authentication Proxy 5.7.4 - Init Complete<BR />2023-04-26T16:08:57.409802-0500 [-] (UDP Port 1812 Closed)<BR />2023-04-26T16:08:57.409802-0500 [-] Stopping protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000028A1FE91E80><BR />2023-04-26T16:08:57.409802-0500 [-] Main loop terminated.<BR />2023-04-26T16:09:05.780813-0500 [-] DuoForwardServer starting on 1812<BR />2023-04-26T16:09:05.780813-0500 [-] Starting protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000021AA5B81CA0><BR />2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] FIPS mode is not enabled<BR />2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] Reactor in use: <twisted.internet.selectreactor.SelectReactor object at 0x0000021AA32785E0><BR />2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] AD Client Module Configuration:<BR />2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] {'host': '10.0.0.58',</P> </BLOCKQUOTE> <P>To troubleshoot:</P> <P><EM>Can you authenticate to the secondary RADIUS server that you created separate from the authentication sequence that you configured (create a temporary Authentication Profile with just the new config if needed)? </EM></P> <P> </P> <P>Via the CLI you can do this with the <STRONG>'test authentication authentication-profile <profilename> username <username> password'</STRONG> command to verify that it just isn't an issue on that secondary node.</P> <P> </P> <P>You can auto review the authd log file by using <STRONG>'less mp-log authd.log'</STRONG> on the CLI as well. </P> <P> </P> <BLOCKQUOTE> <P>The second DUO Proxy server configuration is correct and works if I don't use <SPAN>authentication sequence</SPAN>. For example, the first duo proxy IP is 10.0.0.119</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="boblin_0-1682557839831.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49813i673ABECE7CC656FF/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="boblin_0-1682557839831.png" alt="boblin_0-1682557839831.png" /></span></P> <P> </P> <P>in RADIUS Server profile, if you change the IP to second DUO proxy 10.0.0.183, it works. </P> <P>If in Authentication Profile, I have two profiles.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="boblin_1-1682558198277.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49814i328CB9C297F35B43/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="boblin_1-1682558198277.png" alt="boblin_1-1682558198277.png" /></span></P> <P>and <SPAN>authentication sequence has two profiles. </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="boblin_2-1682558226184.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49815iAC93F822CCC6DCE5/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="boblin_2-1682558226184.png" alt="boblin_2-1682558226184.png" /></span></P> <P> </P> <P> </P> <P>Only DUO Profile works. If I stop the first duo proxy server, it doesn't work. </P> <P>How do you run <SPAN>'test authentication authentication-profile'? I keep getting Invalid syntax.</SPAN></P> </BLOCKQUOTE> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="boblin_3-1682559055371.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49816iFCA25A6B66286D7F/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="boblin_3-1682559055371.png" alt="boblin_3-1682559055371.png" /></span></P> <P> </P> <P> </P> <P>Based on your screenshot, you have a 120 seconds timeout.  That is an eternity!</P> <P> </P> <P>For failover to ever happen it would take 3x120 seconds.</P> <P>GlobalProtect will wait only 60 seconds by default until it times out.</P> <P> </P> <P> </P> <BLOCKQUOTE> <P>I have two DUO profile in the authentication sequency and it works. However, it seems to me this is active/passive. How can we setup active/active or balance?</P> </BLOCKQUOTE> <P> </P> <P>Active/Active can be only set if RADIUS profile points to NAT policy in Palo and this NAT policy has dynamic destination IP with session distribution. But it will not check if destination is live or not. DNAT is just round robin or least session etc basis.</P> <P> </P> <P>There's no other way to set active/active.</P> <P>Utilizing NAT with session distribution is kind of a hack that you can use if you really need active/active.</P> <P> </P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/configure-nat/configure-destination-nat-using-dynamic-ip-addresses" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/configure-nat/configure-destination-nat-using-dynamic-ip-addresses</A></P> <P> </P> <P>Here's a step by step guide <STRONG>(full credits to the author <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/166658">@boblin</a> for making this)</STRONG>:</P> <H3 class="entry-title"><FONT size="4"><A href="http://www.howtonetworking.com/blog/2023/04/17/how-do-we-configure-two-duo-proxy-servers-for-palo-alto-firewall/" target="_blank" rel="noopener">Configure two duo proxy servers for Palo alto firewall MFA redundancy</A></FONT></H3> <P> </P> </DIV> Thu, 04 May 2023 18:36:30 GMT kiwi 2023-05-04T18:36:30Z Nominated Discussion: Configure a second DUO for PA firewall MFA https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-configure-a-second-duo-for-pa-firewall-mfa/ta-p/540908 <P>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/configure-second-duo-for-pa-firewall-mfa/m-p/539953" target="_blank" rel="noopener">Configure second DUO for PA firewall MFA</A> ".</P> Thu, 04 May 2023 18:36:30 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-configure-a-second-duo-for-pa-firewall-mfa/ta-p/540908 kiwi 2023-05-04T18:36:30Z