Video Tutorial: Duo Multi Factor Authentication (MFA) (D is for...)

by ‎04-20-2017 12:31 PM - edited ‎05-11-2017 07:39 AM (15,400 Views)

D is for Darths.. like Darth Vader and Darth Maul... 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.

 

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

 

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

 

Some of the topics that Mitch will be covering in this Video Tutorial:

  • Create & Enroll user in Duo portal
  • Importing Duo certificates into the firewall
  • Create Captive Portal (CP) Certificate
  • Create Certificate profile with Duo certificates
  • Add Duo MFA
  • User-ID setup captive portal
  • Create Authentication object
  • Setup Authentication policy

 

 

Thanks for watching.

 

Comments
by Zupo.si
on ‎04-26-2017 01:38 PM

jdelio,

 

great post, thank you.

But did you try to use it for global protect VPN ?

 

Thank you!

by
on ‎04-26-2017 02:08 PM

@Zupo.si, I did not try to use this for GlobalProtect. From what I know, this will not work without a proxy.

GP cannot be integrated with Duo yet... (maybe in future releases).

 

by Willian
on ‎05-01-2017 11:30 PM
Hi @ jdelio, I am trying to configure the MFA with captive portal on my lab, but I keep receiving the message of: No required ssl certificate was sent. I have performed the exact same configuration as you demonstrate in the video and revised multiple times, but had no luck in getting it working. Do you have any suggestion? Thank you
by borising
‎05-05-2017 07:41 AM - edited ‎05-05-2017 07:42 AM

Hi @jdelio,

 

I did a POC with GP using local user and Duo MFA integration, running version 8, so it's doable. I am also using this on my home lab.

 

I did a writeup in the beta forum, maybe I should clean it up and publish it on live, for general availability :)

 

Great video btw!

 

Regards,

Bo

 

 

by m7usman
on ‎05-05-2017 09:20 AM

Hi @borising Waiting for the Link or the post at Live. Thanks..


jdelio wrote:

D is for Darths.. like Darth Vader and Darth Maul.. 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.

 

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

 

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

 

Some of the topics that Mitch will be covering in this Video Tutorial:

  • Create & Enroll user in Duo portal
  • Importing Duo certificates into the firewall
  • Create Captive Portal (CP) Certificate
  • Create Certificate profile with Duo certificates
  • Add Duo MFA
  • User-ID setup captive portal
  • Create Authentication object
  • Setup Authentication policy

 

 

 

Thanks for watching.

 


by
on ‎05-23-2017 06:52 PM
by ansharma
on ‎06-03-2017 05:44 PM

@Willian 

Regarding the error 'No required ssl certificate was sent', you'll see this when your captive portal has a certificate profile configured. Either remove that or add a suitable certificate to be validated by the firewall using the Certificate profile configured. You do not need to change anything about the SSL/TLS profile.

 

Regards,

Anurag

by mike_yand
‎06-18-2017 02:35 AM - edited ‎06-18-2017 02:39 AM

Hi @borising,

 

Tried to do the same with MFA and no luck.

Anytime I login, it show "disconnected", but send the duo push. Tried with Local user db and LDAP. In the Client I see "Could not connect to portal", but in palo logs -

Authentication Success since I approve the DUO push.

 

Same goes for Portal in web, I enter user/pass - duo push sent, but on screen, before I get push, already have invalid user/pass.

 

Using 8.0.2 Palo and 4.0.2 Client.

 

Thanks

 

 

by borising
on ‎06-20-2017 01:42 AM

Hi @mike_yand,

 

PAN just released 8.0.3 last night, so I am just upgrading my lab fw to 8.0.3, whereafter I will check my setup again and report back.

 

I had the same issue on 8.0.2 as you do.

 

If it works on 8.0.3, I will release my howto on live :)

 

Regards,

Bo Rising

by mike_yand
on ‎06-25-2017 07:48 AM

@borising sounds like a plan, but I got an answer from Palo that MFA is not supported on GB since it is designed to work with auth policy and only traffic traversing the FW.

by jintan
on ‎07-24-2017 08:46 PM

I was wondering if this MFA profile can be used to protect my SSH or MS RDP access? If I am using putty to do SSH access, how would the MFA be prompted? 

by ansharma
on ‎07-25-2017 05:05 AM

@jitan MFA can be used in conjunction with GP. GP client would present the user with a link which would be the MFA login page. 

by jintan
‎07-25-2017 09:10 PM - edited ‎07-25-2017 09:11 PM

hi @ansharma

 

thanks for your advice. i have configured an authentication policy to trigger MFA when users access servers via RDP. I was able to get the prompt from GP to authenticate at the portal. However, the windows RDP connections gets killed off the moment GP prompts me to authenticate. (as per attached pic) I am using the default Windows RDP connection tool available in Windows 7. 

 

Screen Shot 2017-07-26 at 12.08.44 PM.png

 

My MFA policy is working fine for normal http access.

 

Any idea how to overcome this? Thanks. 

by mike_yand
on ‎07-25-2017 11:31 PM

I doubt that MFA can work properly with something except http/https, since to login you have to authenticate via webpage

by jintan
‎07-25-2017 11:35 PM - edited ‎07-25-2017 11:36 PM

it should be able to according to this guide

by ansharma
on ‎07-26-2017 05:55 AM

@mike_yand @jitan Yes, it should. Give me some time to test in the lab.

by jvalentine
on ‎07-26-2017 08:05 AM

I've done this successfully with SSH (and having the GlobalProtect client installed).  When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access.  I click and authenticate, and can then connect to the SSH server.  

by jintan
on ‎07-26-2017 08:31 AM

i tried on ssh and it was a little different.  the session got killed only after i had a successful authentication with the MFA server. (using DUO by the way)

 

@jvalentine possible to share your GP settings? 

by AndrewWasney
on ‎08-08-2017 08:06 AM

 If I already have a working globalprotect and want to add DUO MFA, what steps do I need to perform?

by MichelZ
on ‎09-10-2017 05:14 AM

So, is it possible to have DUO Auth with GP? (direct client authentication), so instead of using RADIUS for a better integration experience? (The current way, using password,auth type is cumbersome)

 

Thanks

Michel

by ansharma
on ‎09-11-2017 07:47 AM

@MichelZ Not at the moment. Probably, in the future there would be a direct integration with MFA with GP. But for now, we'd have to use RADIUS as a proxy.

 

Regards,

Anurag

by Zupo.si
on ‎09-11-2017 12:46 PM

Mybe we can report this MFA GP as feature request to speed things up?

 

 

Ask Questions Get Answers Join the Live Community