This Nominated Discussion Article is based on the post "Configure second DUO for PA firewall MFA " by @boblin and responded to by @Raido_Rattameister , @TomYoung , @BPry. Read on to see the discussion and solution! Make sure to check out the document @boblin created and linked at the bottom to assist other users !
We have configured a DUO Proxy server for PA firewall MFA and it works. We also configured the second DUO proxy server for redundancy. However, we don't know how to configure PA firewall to fail-over to the second DUO in a case the primary DUO proxy server is down. Any help?
You need to add auth sequence under "Device > Authentication Sequence"
Add both RADIUS profiles there. Configure GlobalProtect auth to use previously configured sequence.
Check how many retries and timeout your RADIUS profiles have configured under "Device > Server Profiles > RADIUS".
Let's assume that you have 2 attempts with 20 seconds timeout.
This leaves 20 seconds for secondary RADIUS server as GlobalProtect will time out in 60 seconds by default.
You might want to extend GP timeout.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMD5CAO
Is it possible to configure active/active or balance? If so how to do it?
The easiest way to configure redundancy for the same protocol is to add multiple servers in the RADIUS Server Profile. However, this will not load balance. The NGFW will try each one from the top down. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqECAS
I have configured the second DUO proxy server, but it doesn't work. To troubleshooting, what would you do? Perhaps, where I can check the logs?
I find authproxy.log and it shows:
2023-04-26T15:56:36.843265-0500 [duoauthproxy.lib.log#info] Duo Security Authentication Proxy 5.7.4 - Init Complete
2023-04-26T16:08:57.409802-0500 [-] (UDP Port 1812 Closed)
2023-04-26T16:08:57.409802-0500 [-] Stopping protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000028A1FE91E80>
2023-04-26T16:08:57.409802-0500 [-] Main loop terminated.
2023-04-26T16:09:05.780813-0500 [-] DuoForwardServer starting on 1812
2023-04-26T16:09:05.780813-0500 [-] Starting protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000021AA5B81CA0>
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] FIPS mode is not enabled
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] Reactor in use: <twisted.internet.selectreactor.SelectReactor object at 0x0000021AA32785E0>
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] AD Client Module Configuration:
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] {'host': '10.0.0.58',
To troubleshoot:
Can you authenticate to the secondary RADIUS server that you created separate from the authentication sequence that you configured (create a temporary Authentication Profile with just the new config if needed)?
Via the CLI you can do this with the 'test authentication authentication-profile <profilename> username <username> password' command to verify that it just isn't an issue on that secondary node.
You can auto review the authd log file by using 'less mp-log authd.log' on the CLI as well.
The second DUO Proxy server configuration is correct and works if I don't use authentication sequence. For example, the first duo proxy IP is 10.0.0.119
in RADIUS Server profile, if you change the IP to second DUO proxy 10.0.0.183, it works.
If in Authentication Profile, I have two profiles.
and authentication sequence has two profiles.
Only DUO Profile works. If I stop the first duo proxy server, it doesn't work.
How do you run 'test authentication authentication-profile'? I keep getting Invalid syntax.
Based on your screenshot, you have a 120 seconds timeout. That is an eternity!
For failover to ever happen it would take 3x120 seconds.
GlobalProtect will wait only 60 seconds by default until it times out.
I have two DUO profile in the authentication sequency and it works. However, it seems to me this is active/passive. How can we setup active/active or balance?
Active/Active can be only set if RADIUS profile points to NAT policy in Palo and this NAT policy has dynamic destination IP with session distribution. But it will not check if destination is live or not. DNAT is just round robin or least session etc basis.
There's no other way to set active/active.
Utilizing NAT with session distribution is kind of a hack that you can use if you really need active/active.
Here's a step by step guide (full credits to the author @boblin for making this):
