topic Protecting Admin UI with Duo MFA in Next-Generation Firewall Discussions

Protecting Admin UI with Duo MFA

RobBoydCFCU — Wed, 21 Dec 2022 20:14:08 GMT

I'm attempting to setup Duo MFA with the admin UI of a PA-3220 running PAN-OS 10.2, but have been unsuccessful. I've found that the guide, https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication/configure-mfa-between-duo-and-the-firewall, is referencing the Duo Access Gateway which is being sunset; new Duo applications using a DAG can no longer be created. Is there any guidance available that includes setting up MFA with PAN-OS 10.2 with Duo SSO?

Re: Protecting Admin UI with Duo MFA

Raido_Rattameister — Thu, 22 Dec 2022 03:30:43 GMT

Config should not be any different on firewall side.

If DUO part is unclear then set up DAG profile style and then clone it to new hosted SAML profile.

Re: Protecting Admin UI with Duo MFA

RobBoydCFCU — Thu, 22 Dec 2022 14:18:33 GMT

I have an existing DAG profile style application in Duo that I converted to a SAML profile and attempted to use that without success. The firewall side was setup pretty much as described in the current guide.

I'll post a screenshot of a failed logon attempt when I can have someone test this configuration again.

Re: Protecting Admin UI with Duo MFA

Raido_Rattameister — Thu, 22 Dec 2022 14:42:32 GMT

Did you download xml config file from new SAML profile in DUO, imported it into Palo "SAML Identify Provider" and changed auth to use this new profile?

Re: Protecting Admin UI with Duo MFA

RobBoydCFCU — Thu, 22 Dec 2022 14:43:43 GMT

Yes.

Re: Protecting Admin UI with Duo MFA

RobBoydCFCU — Thu, 22 Dec 2022 14:53:21 GMT

The error that's produced when a user attempts to log in using SSO indicates the AssertionConsumerServiceURL does not match any configured Assertion Consumer Service URLs. The URL in question is using the internal IP address of the firewall. I'm not sure how that IP address made it into the URL; the application configuration does not specify it.

Re: Protecting Admin UI with Duo MFA

RobBoydCFCU — Thu, 22 Dec 2022 16:35:38 GMT

I've resolved the ACS URL issue (misconfigured from the original DAG application somehow). Now, I just need to accounts not authenticating at the Duo SSO sign-in. Seems to be more of a Duo configuration issue than on the firewall.

Thanks for the assistance!

Re: Protecting Admin UI with Duo MFA

Gustavo_Arevalo — Wed, 12 Mar 2025 21:49:14 GMT

What was the solution for the ACS URL issue?

Re: Protecting Admin UI with Duo MFA

RobBoydCFCU — Thu, 13 Mar 2025 15:22:04 GMT

Unfortunately, I don't recall as it was some time ago and I've since migrated us off SAML to RADIUS, using Duo, so we have MFA coverage for gui and cli access.

I would suggest creating a new topic with details of you specific issue if you haven't already.

Re: Protecting Admin UI with Duo MFA

Raido_Rattameister — Thu, 13 Mar 2025 15:43:39 GMT

If you use "Generic SAML Service Provider - Single Sign-On" then you can add up to 10 different ACS URLs under same application.