topic GlobalProtect with Azure MFA setup in GlobalProtect Discussions

GlobalProtect with Azure MFA setup

CharlesHanley — Tue, 08 Dec 2020 13:39:25 GMT

Good Morning Everyone,

Has anyone had any luck setting up MFA on the Palo Alto with Global Protect with Microsoft Azure MFA (Hybrid) I tried opening a ticket with the support team and they said they had no clue how to setup but could support it if broken and told me a "Sales" Engineer would reach out to me sometime that day. That was 4 business days ago.

I have been reading articles but have not had luck with them. Anyone have an Idiots guide to setting up Microsoft Azure MFA with Global protect?

PA Version: 8.1.15

Global Protect Client: 5.1.1

Re: GlobalProtect with Azure MFA setup

JasonMatherly — Thu, 10 Dec 2020 00:45:54 GMT

we have global protect deployed with azure mfa authentication. its not fool proof as occasionally the firewall does not even try to send the auth requests out via the specified interface, for that we have to modify our authentication server profile, commit the change, and then magically the firewall starts sending the authentication requests out again. we setup a job with octopus that makes api calls to see if we have a certain number of unique login failures in a specified amount of time to do this programmatically.

that all being said, just setup a new RADIUS server profile and use that as your authentication source for the 3rd party mfa to work.

edit- apparently they have a KB article for this now as well for your step by step: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkkCAC

Re: GlobalProtect with Azure MFA setup

CharlesHanley — Thu, 10 Dec 2020 13:18:38 GMT

@JasonMatherly

I thought about that however As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius

I did talk to one of the local Sales engineers and they recommended the following https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

This is a good solution to bring us online and meet the short requirements I have for deployment however because we are in a hybrid Azure it does rely on the Windows Authentication Passthrough servers to be 100% functional. If they go down we cant sign in. fun times. I am still working on the radius part but at least now i have a backup plan to bring us online.

Re: GlobalProtect with Azure MFA setup

saraya — Tue, 15 Dec 2020 04:57:30 GMT

In case you are deploying this setup for Linux clients, you might want to consider upgrading to the Global Protect 5.1.6 version. GPC-11090 Fixed an issue where, when the GlobalProtect app was installed on Linux, users were not able to authenticate through SAML authentication when Microsoft Azure was used as the identity provider (ldP).