03-06-2018 05:01 PM
I've been looking up and down and can't seem to find a solution. I'm trying to authenticate to the GlobalProtect gateway or portal via Radius (which is tied back to AD) then to DUO for MFA.
The user should point to the portal/gateway, receive a username/password prompt, authenticate via Radius, then receive a text message from DUO (or call) and accept. This should connect the user to the VPN right after.
I've set it up with one Radius profile with DUO as the second factor. And have that tied to the Portal. I've tried moving it around to be on the gateway and portal, just the gateway, just the portal, etc. I've either been failing, or getting on the VPN, albeit a slow response time and multiple DUO prompts. I don't know what I'm doing wrong and all the MFA documentation appears to be within a policy and not just authenticating to be on the network. I guess we can get it where anyone can log on, but then would have to authenticate via a FW policy, but want to do it before they log onto the VPN.
Any help is appreciated. Thank you.
03-07-2018 06:46 AM
This is the documentation that DUO actually provides for this sort of setup. https://duo.com/docs/paloalto
03-07-2018 02:00 PM
What are you using for the first factor(what is your Duo Auth Proxy pointing to for the first factor)? Active Directory?
If using AD for the first factor, and Duo for the second factor, try this...
- Create an Authentication Profile in PA that uses LDAP and points to your Domain Controllers.
- Apply this LDAP Auth Profile to your Portal.
- Create an Authentication Profile in PA that uses RADIUS and points to your Duo Auth Proxy.
- Apply this RADIUS Auth Profile to your Gateway.
...with this configuration, users will authenticate to your Portal via AD only, and to your Gateway via Duo MFA. I believe, after authenticating to the Portal, the GP agent will take the username/password used to authenticate to the Portal, and send them to the Gateway. The expected behavior here is, the user should only have to enter in their password once, and their OTP once. Or, if you save user credentials in GP, the only thing the user has to do is authenticate against the second factor.
03-07-2018 06:46 AM
This is the documentation that DUO actually provides for this sort of setup. https://duo.com/docs/paloalto
03-07-2018 02:00 PM
What are you using for the first factor(what is your Duo Auth Proxy pointing to for the first factor)? Active Directory?
If using AD for the first factor, and Duo for the second factor, try this...
- Create an Authentication Profile in PA that uses LDAP and points to your Domain Controllers.
- Apply this LDAP Auth Profile to your Portal.
- Create an Authentication Profile in PA that uses RADIUS and points to your Duo Auth Proxy.
- Apply this RADIUS Auth Profile to your Gateway.
...with this configuration, users will authenticate to your Portal via AD only, and to your Gateway via Duo MFA. I believe, after authenticating to the Portal, the GP agent will take the username/password used to authenticate to the Portal, and send them to the Gateway. The expected behavior here is, the user should only have to enter in their password once, and their OTP once. Or, if you save user credentials in GP, the only thing the user has to do is authenticate against the second factor.
03-07-2018 02:16 PM - edited 03-07-2018 02:20 PM
Thanks for this info. I was reading into doing this, and may have to. What I orginially did was create a radius profile which points to our Clearpass radius server. Then I created an MFA profile with DUO pointing to the api and using the secure key. I then created an authentication profile pointing to the radius server profile with the DUO profile for the MFA. So the DUO and radius server were tied in one. I was then tryign to only use that authentication profile on either the gateway or portal, but having weird issues. I'm assuming I have to create a Radius server profile with proxy info (I don't have this info on hand and was trying to work around it). I do get prompts from DUO, so was assuming I was close with the setup I have, but missing something. Any idea if using one authentication profile with a radius server and MFA profile with DUO would work, without using the proxy server? Thanks for the help!
03-07-2018 02:19 PM - edited 03-07-2018 02:19 PM
Thanks for the link. I'll go through this again as I believe I'll have to do this setup exactly as is. I was using another radius server (Clearpass) and setup an MFA profile pointing to the DUO API, tied into one authentication profile. So I wasn't using the proxy in a separate radius profile. I'm getting prompts from DUO, so appears it's going out and talking with the DUO servers, but either get a bunch of prompts and delays and finally get on, or fail in teh process somewhere. Hard to find out where even using he troubleshooting tab on the client. Thanks for the info as I'll probably be going down this path.
03-15-2018 09:41 AM
It ended up being a slight config miss, ontop of not restarting the DUO authentciation service on the proxy server. Once configured correctly and service restarted, it started working. I was trying to use the built in MFA profile with Palo Alto, but that appears to only work for web portal authentication and not authentication to the portal/gateway for globalprotect. Thanks guys for the help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
