Duo Multi-Factor Authentication (MFA)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator

This video tutorial shows how to integrate Duo multi-factor authentication to the Palo Alto Networks v8.0+ firewall in an authentication policy for the purposes of Captive Portal or an authentication step-up.

 

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

 

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

 

Some of the topics that Mitch will be covering in this Video Tutorial:

  • Create & Enroll user in Duo portal
  • Importing Duo certificates into the firewall
  • Create Captive Portal (CP) Certificate
  • Create Certificate profile with Duo certificates
  • Add Duo MFA
  • User-ID setup captive portal
  • Create Authentication object
  • Setup Authentication policy

 

 

Thanks for watching.

 

27 Comments
L0 Member

jdelio,

 

great post, thank you.

But did you try to use it for global protect VPN ?

 

Thank you!

L7 Applicator

@Zupo.si, I did not try to use this for GlobalProtect. From what I know, this will not work without a proxy.

GP cannot be integrated with Duo yet... (maybe in future releases).

 

Hi @ jdelio, I am trying to configure the MFA with captive portal on my lab, but I keep receiving the message of: No required ssl certificate was sent. I have performed the exact same configuration as you demonstrate in the video and revised multiple times, but had no luck in getting it working. Do you have any suggestion? Thank you
L4 Transporter

Hi @jdelio,

 

I did a POC with GP using local user and Duo MFA integration, running version 8, so it's doable. I am also using this on my home lab.

 

I did a writeup in the beta forum, maybe I should clean it up and publish it on live, for general availability 🙂

 

Great video btw!

 

Regards,

Bo

 

 

L1 Bithead

Hi @borising Waiting for the Link or the post at Live. Thanks..


@jdelio wrote:

D is for Darths.. like Darth Vader and Darth Maul.. 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.

 

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

 

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

 

Some of the topics that Mitch will be covering in this Video Tutorial:

  • Create & Enroll user in Duo portal
  • Importing Duo certificates into the firewall
  • Create Captive Portal (CP) Certificate
  • Create Certificate profile with Duo certificates
  • Add Duo MFA
  • User-ID setup captive portal
  • Create Authentication object
  • Setup Authentication policy

 

 

 

Thanks for watching.

 


Palo Alto Networks Guru
L4 Transporter

@acc6d0b3610eec313831f7900fdbd235 

Regarding the error 'No required ssl certificate was sent', you'll see this when your captive portal has a certificate profile configured. Either remove that or add a suitable certificate to be validated by the firewall using the Certificate profile configured. You do not need to change anything about the SSL/TLS profile.

 

Regards,

Anurag

L2 Linker

Hi @borising,

 

Tried to do the same with MFA and no luck.

Anytime I login, it show "disconnected", but send the duo push. Tried with Local user db and LDAP. In the Client I see "Could not connect to portal", but in palo logs -

Authentication Success since I approve the DUO push.

 

Same goes for Portal in web, I enter user/pass - duo push sent, but on screen, before I get push, already have invalid user/pass.

 

Using 8.0.2 Palo and 4.0.2 Client.

 

Thanks

 

 

L4 Transporter

Hi @mike_yand,

 

PAN just released 8.0.3 last night, so I am just upgrading my lab fw to 8.0.3, whereafter I will check my setup again and report back.

 

I had the same issue on 8.0.2 as you do.

 

If it works on 8.0.3, I will release my howto on live 🙂

 

Regards,

Bo Rising

L2 Linker

@borising sounds like a plan, but I got an answer from Palo that MFA is not supported on GB since it is designed to work with auth policy and only traffic traversing the FW.

L2 Linker

I was wondering if this MFA profile can be used to protect my SSH or MS RDP access? If I am using putty to do SSH access, how would the MFA be prompted? 

L4 Transporter

@jintan MFA can be used in conjunction with GP. GP client would present the user with a link which would be the MFA login page. 

L2 Linker

hi @ansharma

 

thanks for your advice. i have configured an authentication policy to trigger MFA when users access servers via RDP. I was able to get the prompt from GP to authenticate at the portal. However, the windows RDP connections gets killed off the moment GP prompts me to authenticate. (as per attached pic) I am using the default Windows RDP connection tool available in Windows 7. 

 

Screen Shot 2017-07-26 at 12.08.44 PM.png

 

My MFA policy is working fine for normal http access.

 

Any idea how to overcome this? Thanks. 

L2 Linker

I doubt that MFA can work properly with something except http/https, since to login you have to authenticate via webpage

L2 Linker

it should be able to according to this guide

L4 Transporter

@mike_yand @jintan Yes, it should. Give me some time to test in the lab.

L7 Applicator

I've done this successfully with SSH (and having the GlobalProtect client installed).  When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access.  I click and authenticate, and can then connect to the SSH server.  

L2 Linker

i tried on ssh and it was a little different.  the session got killed only after i had a successful authentication with the MFA server. (using DUO by the way)

 

@jvalentine possible to share your GP settings? 

L0 Member

 If I already have a working globalprotect and want to add DUO MFA, what steps do I need to perform?

L1 Bithead

So, is it possible to have DUO Auth with GP? (direct client authentication), so instead of using RADIUS for a better integration experience? (The current way, using password,auth type is cumbersome)

 

Thanks

Michel

L4 Transporter

@MichelZ Not at the moment. Probably, in the future there would be a direct integration with MFA with GP. But for now, we'd have to use RADIUS as a proxy.

 

Regards,

Anurag

L0 Member

Mybe we can report this MFA GP as feature request to speed things up?

 

 

L0 Member

@borising - Did you ever get around to post your instructions to live? I tried searching but couldn't find anything and I'm attempting to get this working, If you could send me the link that would be awesome. Thanks!

L0 Member

Anyone get this working on the outside where it matters most for remote access into a network ?  I have 8.0.8 installed and GP 4.1.0.  Thanks to anyone who can answer this.

L0 Member

Hi,

 

unfortunately this configuration is not yet supported. It is very odd because PA itself knows howto communicate but only for Captive portal functionalities. For global protect it is not yet supported. in version 4.1 and 8.1 PAN they have added for chaning password via RADIUS-PEAP authentication but this is another topic..

 

Regarding DUO it's still needed third party software (from DUO) to be able to communicate with duo authentication servers..

 

Mybe it would be good to write a feature request to PA.

 

BR

Cyber Elite
Cyber Elite

@Zupo.si,

I believe that a feature request already exists for this, you would just need to get your SE to add your vote to it. Once you have the feature request number if you could add it here so that others can add their votes to the same request that would be awesome. 

L0 Member


by jvalentine
on ‎07-26-2017 08:05 AM

I've done this successfully with SSH (and having the GlobalProtect client installed).  When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access.  I click and authenticate, and can then connect to the SSH server. 

This single thread is nearly the only useful result of a search for MFA, SSH and Palo Alto 
 
@jvalentine , How did you get this working? I can't seem to find any documentation on this and how to configure it. 
 
We are being told that we must have MFA controlling our SSH access to the Palo Alto, and there is hardly any information on this.  We would be fine using Duo or YubiKey, GlobalProtect would work as an access point as we have also been told that we need to limit SSH from all systems that are not fully FIPS-compliant, which the VPN clients would be as the Palo is in FIPS mode.
 
So, in order to access our Palo over SSH we would be connecting to the VPN using GlobalProtect, and then if configured correctly GP would prompt us for our MFA creds, either Yubikey cert/pin or Duo?  
 
Thanks in advance for any information anyone can provide on this.  
  • 143757 Views
  • 27 comments
  • 10 Likes
Register or Sign-in
Labels