topic Re: VPN Two-Factor Authentication integration into PAN ? in General Topics

VPN Two-Factor Authentication integration into PAN ?

gafrol — Tue, 12 Feb 2013 11:20:06 GMT

Hello all,

recently I learned the Two-Factor Authentication solution from DUO Security. Basically it requires a PAN FW, an AD/Radius Proxy software provided by DUO Security and an Account/API Key.

The Proxy software is the interface between AD/Radius and DUO Servers.

Since PAN already connects to an existing AD/Radius I am asking myself whether it would make sense to integrate the "proxy software" into PAN ? This would just require to enter the API Key in order to communicate with the DUO Servers on 443 and the extra proxy software is not required anymore.

This is valid for other Cloud OTP vendors as well, same technology.

I remember that a competitor in the firewall market did have or still has such a feature built in.

What do you think ? Is this worth a feature request ?

rgds

Roland

Re: VPN Two-Factor Authentication integration into PAN ?

mikand — Wed, 13 Feb 2013 06:06:50 GMT

To me it sounds odd that you need to install a "proxysoftware" in order to be able to speak to the authserver.

The authserver should be able to speak standardized protocols such as radius for the authentication.

That is the client sends its credentials to the PA device. The PA device uses radius to ask the authserver (the OTP device) if the stuff the client sent is ok or not and then the authserver replies to this request which the PA will then either grant or deny access for the client.

Look here for some info on the topic (integration between nordicedge and PA devices for use of OTP): Strong authentication for Palo Alto Secure Access SSL VPN Solutions | Nordic Edge | The Provider of Secure Identity Solutions

Re: VPN Two-Factor Authentication integration into PAN ?

gafrol — Wed, 13 Feb 2013 07:15:33 GMT

Well actually that was not my point, but even with NordicEdge (now McAfee) you need a local installation of a piece of software, they call it OTPServer same thing.

Re: VPN Two-Factor Authentication integration into PAN ?

mikand — Thu, 14 Feb 2013 06:57:15 GMT

Yes but this server is the authserver itself, not a proxy that needs to be installed on the component asking for authorize incoming clients.

Re: VPN Two-Factor Authentication integration into PAN ?

gafrol — Thu, 14 Feb 2013 07:16:27 GMT

Same is true for the Duo Security Solution, don't get confused by product names.

Re: VPN Two-Factor Authentication integration into PAN ?

mikand — Fri, 15 Feb 2013 08:07:31 GMT

ahh, sorry about that 🙂

Re: VPN Two-Factor Authentication integration into PAN ?

gafrol — Tue, 19 Feb 2013 15:07:29 GMT

Today I have configured and tested the Duo Security Two Factor Authentication with Global Protect and it works like a charm. All in all it took me about 45Mins. to get everything working (mostly because of waiting for the commit to be finished 🙂

Means installing and configuring the Authentication Proxy Software provided by Duo on the Windows server, registering for a free Duo Account (up to 10 users free) and reconfiguring the PAN Firewall to use the authentication proxy as a Radius Server.

I really like the Duo Push functionality which makes it very easy and secure for an enduser to authenticate to the GP VPN.

I would love to see this integrated into the PAN Firewall out of the box as with this approach the authentication proxy would be obsolete.

Roland

Re: VPN Two-Factor Authentication integration into PAN ?

JKoss — Wed, 29 May 2013 20:28:37 GMT

Were you able to get the duo to work with the default integration (radius_server_iframe)? I was told to drop back to using the radius_server_concat method, which is a bit rough around the edges.

My problem was that the global protect authentication dialog for the second factor would pop up with script in the prompt....

Thanks,

Re: VPN Two-Factor Authentication integration into PAN ?

gafrol — Wed, 29 May 2013 21:01:14 GMT

You have to use the radius_server_concat method. The iframe method is needed for web based portal authentication like Citrix Access Gateway and such.

Example config:

[main]

client=ad_client

server=radius_server_concat

[ad_client]

host=IP_ADDRESS_OF_AD_SERVER

service_account_username=AD_USERNAME

service_account_password=AD_USERNAME_PASSWORD

search_dn=dc=COMPANY,dc=COM

[radius_server_concat]

api_host=API_HOST_ID.duosecurity.com

ikey=INTEGRATION_KEY

skey=SECURITY_KEY

failmode=safe

radius_ip_1=PAN_FW_IP_ADDRESS

radius_secret_1=RADIUS_PASSWORD

Re: VPN Two-Factor Authentication integration into PAN ?

JKoss — Thu, 30 May 2013 12:53:47 GMT

Thanks for the quick response-- that looks exactly like what I have configured.

I'm just not sure about the need to specify the method (SMS,PUSH, etc.) on the password line. Change is hard when it comes to stuff like this and our users!

Still, it is a very flexible system and seems like a good fit for us outside of that one issue...

Re: VPN Two-Factor Authentication integration into PAN ?

gafrol — Fri, 31 May 2013 07:24:20 GMT

I'm just not sure about the need to specify the method (SMS,PUSH, etc.) on the password line. Change is hard when it comes to stuff like this and our users!

That's what I call a flexible system. We have a customer who decided to allow non privileged users to save password,push in the GP client and have them approve the authentication request on their smartphone. That's convenient.

Re: VPN Two-Factor Authentication integration into PAN ?

hsnetworks01 — Fri, 31 May 2013 07:47:41 GMT

We tested solution SecurAccess from company SecurEnvoy. Is working well wilt PA for WIN/MAC GP. This is one solution where is possible use own GSM gateway for send SMS I found and reason I am writing.

Only I can't use native GP on Android phone for two auth currently.