Configure second DUO for PA firewall MFA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure second DUO for PA firewall MFA

L2 Linker

We have configured a DUO Proxy server for PA firewall MFA and it works. We also configured the second DUO proxy server for redundancy. However, we don't know how to configure PA firewall to failover to the second DUO in a case the primary DUO proxy server is down. Any help?

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com
3 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

You need to add auth sequence under "Device > Authentication Sequence"

 

Add both RADIUS profiles there.

Configure GlobalProtect auth to use previously configured sequence.

 

Check how many retries and timeout your RADIUS profiles have configured under "Device > Server Profiles > RADIUS".

 

Let's assume that you have 2 attempts with 20 sec timeout.

This leaves 20 seconds for secondary RADIUS server as GlobalProtect will time out in 60 seconds by default.

 

You might want to extend GP timeout.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMD5CAO

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Cyber Elite
Cyber Elite

You have timeout 120 sec.

That is eternity 🙂

 

For failover to ever happen it would take 3x120 sec.

GlobalProtect will wait only 60 sec by default until it times out.

Did you adjust GlobalProtect default timers?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Cyber Elite
Cyber Elite

There is no official way to configure active/active.

Utilizing NAT with session distribution is kind of a hack that you can use if you really need active/active.

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/configure-nat/configure-de...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

16 REPLIES 16

Cyber Elite
Cyber Elite

You need to add auth sequence under "Device > Authentication Sequence"

 

Add both RADIUS profiles there.

Configure GlobalProtect auth to use previously configured sequence.

 

Check how many retries and timeout your RADIUS profiles have configured under "Device > Server Profiles > RADIUS".

 

Let's assume that you have 2 attempts with 20 sec timeout.

This leaves 20 seconds for secondary RADIUS server as GlobalProtect will time out in 60 seconds by default.

 

You might want to extend GP timeout.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMD5CAO

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Thank you for the tip. Is it possible to configure active/active or balance? If so how to do it?

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

Cyber Elite
Cyber Elite

Hi @boblin ,

 

The easiest way to configure redundancy for the same protocol is to add multiple servers in the RADIUS Server Profile.  However, this will not load balance.  The NGFW will try each one from the top down.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqECAS

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

It is true that multiple servers can be added into single profile but I stopped doing this after I got bit by some bug back in a day where connection was attempted to first server only.

From then on every server is in dedicated profile and I use sequence instead.

Probably overkill nowadays but more robust.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Thank you for all tips. I have configured the second DUO proxy server, but it doesn't work. To troubleshooting, what would you do? Perhaps, where I can check the logs?

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

L2 Linker

 I find authproxy.log and it shows:

 

2023-04-26T15:56:36.843265-0500 [duoauthproxy.lib.log#info] Duo Security Authentication Proxy 5.7.4 - Init Complete
2023-04-26T16:08:57.409802-0500 [-] (UDP Port 1812 Closed)
2023-04-26T16:08:57.409802-0500 [-] Stopping protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000028A1FE91E80>
2023-04-26T16:08:57.409802-0500 [-] Main loop terminated.
2023-04-26T16:09:05.780813-0500 [-] DuoForwardServer starting on 1812
2023-04-26T16:09:05.780813-0500 [-] Starting protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x0000021AA5B81CA0>
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] FIPS mode is not enabled
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] Reactor in use: <twisted.internet.selectreactor.SelectReactor object at 0x0000021AA32785E0>
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] AD Client Module Configuration:
2023-04-26T16:09:05.876008-0500 [duoauthproxy.lib.log#info] {'host': '10.0.0.58',

 

Can someone tell the problem from the logs/ Or what should I check.

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

Cyber Elite
Cyber Elite

@boblin,

First thing first, can you authenticate to the secondary RADIUS server that you create separate from the authentication sequence that you configured (create a temporary Authentication Profile with just the new config if needed)? Via the CLI you can do this with the 'test authentication authentication-profile' command to verify that it just isn't an issue on that secondary node.

You can auto review the authd log file by using 'less mp-log authd.log' on the CLI as well. 

L2 Linker

The second DUO Proxy server configuration is correct and works if I don't use authentication sequence. For example, the first duo proxy IP is 10.0.0.119

 

boblin_0-1682557839831.png

 

in RADIUS Server profile, if you change the IP to second DUO proxy 10.0.0.183, it works. 

If in Authentication Profile, I have two profiles.

boblin_1-1682558198277.png

and authentication sequence has two profiles. 

boblin_2-1682558226184.png

 

 

Only DUO Profile works. If I stop the first duo proxy server, it doesn't work. 

 

 

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

How do you run 'test authentication authentication-profile'? I keep getting Invalid syntax.

 

boblin_3-1682559055371.png

 

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

Cyber Elite
Cyber Elite

You have timeout 120 sec.

That is eternity 🙂

 

For failover to ever happen it would take 3x120 sec.

GlobalProtect will wait only 60 sec by default until it times out.

Did you adjust GlobalProtect default timers?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@boblin,

In addition to the timeout aspect that @Raido_Rattameister already mentioned, the command that I gave you above was a starting point so you knew what to run instead of a full example. Assuming that your authentication profile is "DUO Authentication" the full example would be below:

test authentication authentication-profile "DUO Authentication" username <username> password

Once entered you'll be prompted to enter the password before the firewall attempts to authenticate, you don't include the password in the command. 

Tom. 

 

Now, the I have two DUO profile in the authentication sequency and it works. However, it seems to me this is active/passive. How can we setup active/active or balance?

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com

Cyber Elite
Cyber Elite

Active/Active can be only set if RADIUS profile points to NAT policy in Palo and this NAT policy has dynamic destination IP with session distribution.
But it will not check if destination is live or not.

DNAT is just round robin or least session etc basis.

 

No other way to set active/active.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you for quick reply. Do you have document for configuring active/active or an link?

Bob Lin, Chicagotech-MVP, MCSE & CNE
Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on
http://www.ChicagoTech.net
How to Install and Configure Windows, VMware, Virtualization and Cisco on
http://www.HowToNetworking.com
  • 3 accepted solutions
  • 5394 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!