Duo Multi-Factor Authentication (MFA)

jdelio · ‎04-20-2017

This video tutorial shows how to integrate Duo multi-factor authentication to the Palo Alto Networks v8.0+ firewall in an authentication policy for the purposes of Captive Portal or an authentication step-up.

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

Some of the topics that Mitch will be covering in this Video Tutorial:

Create & Enroll user in Duo portal
Importing Duo certificates into the firewall
Create Captive Portal (CP) Certificate
Create Certificate profile with Duo certificates
Add Duo MFA
User-ID setup captive portal
Create Authentication object
Setup Authentication policy

Thanks for watching.

Zupo.si · ‎04-26-2017

jdelio,

great post, thank you.

But did you try to use it for global protect VPN ?

Thank you!

jdelio · ‎04-26-2017

@Zupo.si, I did not try to use this for GlobalProtect. From what I know, this will not work without a proxy.

GP cannot be integrated with Duo yet... (maybe in future releases).

acc6d0b3610eec313831f7900fdbd235 · ‎05-01-2017

Hi @ jdelio, I am trying to configure the MFA with captive portal on my lab, but I keep receiving the message of: No required ssl certificate was sent. I have performed the exact same configuration as you demonstrate in the video and revised multiple times, but had no luck in getting it working. Do you have any suggestion? Thank you

borising · ‎05-05-2017

Hi @jdelio,

I did a POC with GP using local user and Duo MFA integration, running version 8, so it's doable. I am also using this on my home lab.

I did a writeup in the beta forum, maybe I should clean it up and publish it on live, for general availability 🙂

Great video btw!

Regards,

Bo

m7usman · ‎05-05-2017

Hi @borising Waiting for the Link or the post at Live. Thanks..

@jdelio wrote:
D is for Darths.. like Darth Vader and Darth Maul.. 2 of the most powerful Sith that have ever existed. But one thing that those guys did not have to worry about was Multi Factor Authentication.

D is for Duo, a company that specializes in trusted access with SSO (Single Sign On) and MFA (Multi Factor Authentication).

In today's video tutorial, Mitch Densley will be talking about Duo MFA.

Some of the topics that Mitch will be covering in this Video Tutorial:
Create & Enroll user in Duo portal
Importing Duo certificates into the firewall
Create Captive Portal (CP) Certificate
Create Certificate profile with Duo certificates
Add Duo MFA
User-ID setup captive portal
Create Authentication object
Setup Authentication policy

Thanks for watching.

jmenon · ‎05-23-2017

Check this as well

https://live.paloaltonetworks.com/t5/Integration-Articles/GlobalProtect-One-Time-Password-based-Two-...

ansharma · ‎06-03-2017

@acc6d0b3610eec313831f7900fdbd235

Regarding the error 'No required ssl certificate was sent', you'll see this when your captive portal has a certificate profile configured. Either remove that or add a suitable certificate to be validated by the firewall using the Certificate profile configured. You do not need to change anything about the SSL/TLS profile.

Regards,

Anurag

mike_yand · ‎06-18-2017

Hi @borising,

Tried to do the same with MFA and no luck.

Anytime I login, it show "disconnected", but send the duo push. Tried with Local user db and LDAP. In the Client I see "Could not connect to portal", but in palo logs -

Authentication Success since I approve the DUO push.

Same goes for Portal in web, I enter user/pass - duo push sent, but on screen, before I get push, already have invalid user/pass.

Using 8.0.2 Palo and 4.0.2 Client.

Thanks

borising · ‎06-20-2017

Hi @mike_yand,

PAN just released 8.0.3 last night, so I am just upgrading my lab fw to 8.0.3, whereafter I will check my setup again and report back.

I had the same issue on 8.0.2 as you do.

If it works on 8.0.3, I will release my howto on live 🙂

Regards,

Bo Rising

mike_yand · ‎06-25-2017

@borising sounds like a plan, but I got an answer from Palo that MFA is not supported on GB since it is designed to work with auth policy and only traffic traversing the FW.

jintan · ‎07-24-2017

I was wondering if this MFA profile can be used to protect my SSH or MS RDP access? If I am using putty to do SSH access, how would the MFA be prompted?

ansharma · ‎07-25-2017

@jintan MFA can be used in conjunction with GP. GP client would present the user with a link which would be the MFA login page.

jintan · ‎07-25-2017

hi @ansharma

thanks for your advice. i have configured an authentication policy to trigger MFA when users access servers via RDP. I was able to get the prompt from GP to authenticate at the portal. However, the windows RDP connections gets killed off the moment GP prompts me to authenticate. (as per attached pic) I am using the default Windows RDP connection tool available in Windows 7.

Screen Shot 2017-07-26 at 12.08.44 PM.png

My MFA policy is working fine for normal http access.

Any idea how to overcome this? Thanks.

mike_yand · ‎07-25-2017

I doubt that MFA can work properly with something except http/https, since to login you have to authenticate via webpage

jintan · ‎07-25-2017

it should be able to according to this guide

ansharma · ‎07-26-2017

@mike_yand @jintan Yes, it should. Give me some time to test in the lab.

jvalentine · ‎07-26-2017

I've done this successfully with SSH (and having the GlobalProtect client installed). When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access. I click and authenticate, and can then connect to the SSH server.

jintan · ‎07-26-2017

i tried on ssh and it was a little different. the session got killed only after i had a successful authentication with the MFA server. (using DUO by the way)

@jvalentine possible to share your GP settings?

PANisawesome · ‎08-08-2017

If I already have a working globalprotect and want to add DUO MFA, what steps do I need to perform?

MichelZ · ‎09-10-2017

So, is it possible to have DUO Auth with GP? (direct client authentication), so instead of using RADIUS for a better integration experience? (The current way, using password,auth type is cumbersome)

Thanks

Michel

ansharma · ‎09-11-2017

@MichelZ Not at the moment. Probably, in the future there would be a direct integration with MFA with GP. But for now, we'd have to use RADIUS as a proxy.

Regards,

Anurag

Zupo.si · ‎09-11-2017

Mybe we can report this MFA GP as feature request to speed things up?

Auto-Star · ‎10-25-2017

@borising - Did you ever get around to post your instructions to live? I tried searching but couldn't find anything and I'm attempting to get this working, If you could send me the link that would be awesome. Thanks!

netwerkg · ‎04-24-2018

Anyone get this working on the outside where it matters most for remote access into a network ? I have 8.0.8 installed and GP 4.1.0. Thanks to anyone who can answer this.

Zupo.si · ‎04-25-2018

Hi,

unfortunately this configuration is not yet supported. It is very odd because PA itself knows howto communicate but only for Captive portal functionalities. For global protect it is not yet supported. in version 4.1 and 8.1 PAN they have added for chaning password via RADIUS-PEAP authentication but this is another topic..

Regarding DUO it's still needed third party software (from DUO) to be able to communicate with duo authentication servers..

Mybe it would be good to write a feature request to PA.

BR

BPry · ‎04-25-2018

@Zupo.si,

I believe that a feature request already exists for this, you would just need to get your SE to add your vote to it. Once you have the feature request number if you could add it here so that others can add their votes to the same request that would be awesome.

rk-mmills · ‎08-30-2018

by jvalentine
on ‎07-26-2017 08:05 AM
I've done this successfully with SSH (and having the GlobalProtect client installed). When I attempt to SSH to a particular server, the GP agent alerts with a message that MFA is required before gaining access. I click and authenticate, and can then connect to the SSH server.

This single thread is nearly the only useful result of a search for MFA, SSH and Palo Alto

@jvalentine , How did you get this working? I can't seem to find any documentation on this and how to configure it.

We are being told that we must have MFA controlling our SSH access to the Palo Alto, and there is hardly any information on this. We would be fine using Duo or YubiKey, GlobalProtect would work as an access point as we have also been told that we need to limit SSH from all systems that are not fully FIPS-compliant, which the VPN clients would be as the Palo is in FIPS mode.

So, in order to access our Palo over SSH we would be connecting to the VPN using GlobalProtect, and then if configured correctly GP would prompt us for our MFA creds, either Yubikey cert/pin or Duo?

Thanks in advance for any information anyone can provide on this.

Duo Multi-Factor Authentication (MFA)

Duo Multi-Factor Authentication (MFA)

GlobalProtect: Authentication Policy with MFA

Integrating FortiAuthenticator with PA Firewall for Multi-Factor Authentication on GlobalProtect

Nominated Discussion: Configure a second DUO for PA firewall MFA

Palo Alto NGFW: LDAP authentication with DUO/OKTA MFA

GlobalProtect VPN Enforcing Password Changes and Google Authenticator MFA

Configure second DUO for PA firewall MFA

Multi-Factor Authentication for GlobalProtect

Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

The Dark Secret of Enterprise Security

Hackers Evolve. So Did We – Inside Ignite London 2025!

Re: Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

Re: Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

Re: Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

Re: Help Us Win – Vote for LIVEcommunity in the 2025 CMX Awards!

Unlock your full community experience!

Duo Multi-Factor Authentication (MFA)