02-19-2018 08:52 AM
Is there a way to configure MFA and OTP for administrative access. The company wants to comply with new standards and i didn't see way do it for local access. It is only mentioned how to do it for global protect vpn users.
02-19-2018 03:01 PM
Our customer already has an F5 VPN solution, were they MFA once the VPN client accesses. They added a radius server which is integrated with an OTP server(Azure) and that is working. Can this be done the same for Palo Admin access and if yes how to configure it?
02-19-2018 03:40 PM
This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-auth...
02-19-2018 09:44 AM
I dont think you can, someone else may know better but was looking the other day at adding MFA to amin login and can only add an MFA device in the "factors" tab of the server profile...
for this "Factors" tab PAN state the following....
Additional authentication factors are supported for end-user authentication through Authentication Policy only. Additional factors are not supported for remote user authentication to GlobalProtect portals and gateways or for administrator authentication to the PAN-OS or Panorama web interface. Although you can configure additional factors, they will not be enforced for these use cases. You can, however, integrate with MFA vendors using RADIUS or SAML for all authentication use cases.
Bummer!!!!
02-19-2018 12:04 PM
Exactly, the possibilities you have are RADIUS or SAML. SAML is great but cannot be used for SSH login (compared to RADIUS).
Or a completely different approach is if your PAN management interfaces are located behind a PaloAlto Firewall. This way you could enforce the integrated MFA with captive portal and only when a user is successfully authenticated there he will be able to see the admin webinterface. On the admin webinterface you can then stay with username/password as the additional factor was already entered.
02-19-2018 02:04 PM
I didn't get what you meant by the management interfaces are behind the PAN. I use the dedicated management interface and the loopback to access the FW. How to configure the MFA and the captive portal. Do you mean the MFA under the servers profiles.
Can you please share how to configure it.
thanks in advance
02-19-2018 02:38 PM
What I meant was if you have a dedicated management network which which is located behind another PaloAlto Networks Firewall and in this management network you have the management ports of your firewall(s).
But may be we should start with what you already have and what you want to improve. As you wrote you want MFA access for the firewall webinterface.
02-19-2018 03:01 PM
Our customer already has an F5 VPN solution, were they MFA once the VPN client accesses. They added a radius server which is integrated with an OTP server(Azure) and that is working. Can this be done the same for Palo Admin access and if yes how to configure it?
02-19-2018 03:40 PM
This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-auth...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
