Two-factor token based (2FA) authentication mechanism for administrative access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Two-factor token based (2FA) authentication mechanism for administrative access

Is there a way to configure MFA and OTP for administrative access. The company wants to comply with new standards and i didn't see way do it for local access. It is only mentioned how to do it for global protect vpn users.

2 accepted solutions

Accepted Solutions

  1. Do you use local users or are they somewhere in a directory? both of them
  2. What authentication method are you using right now? just AD credentials
  3. Do you already have MFA software which you use for other purposes (globalprotect, SAML IdP, Citrix access, ...)? No
  4. Are you talking about the managemebt webinterface of one firewall (cluster) or some more firewalls? one cluster
  5. Do you already have dedicated managementnetworks, maybe for network devices or virtualization infrastructur or something else? No 

Our customer already has an F5 VPN solution, were they MFA once the VPN client accesses. They added a radius server which is integrated with an OTP server(Azure) and that is working. Can this be done the same for Palo Admin access and if yes how to configure it?

View solution in original post

This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-auth...

 

View solution in original post

6 REPLIES 6

L7 Applicator

I dont think you can, someone else may know better but was looking the other day at adding MFA to amin login and can only add an MFA device in the "factors" tab of the server profile...

 

for this "Factors" tab PAN state the following....

 

Additional authentication factors are supported for end-user authentication through Authentication Policy only. Additional factors are not supported for remote user authentication to GlobalProtect portals and gateways or for administrator authentication to the PAN-OS or Panorama web interface. Although you can configure additional factors, they will not be enforced for these use cases. You can, however, integrate with MFA vendors using RADIUS or SAML for all authentication use cases.

 

 

 

Bummer!!!!

Exactly, the possibilities you have are RADIUS or SAML. SAML is great but cannot be used for SSH login (compared to RADIUS).

Or a completely different approach is if your PAN management interfaces are located behind a PaloAlto Firewall. This way you could enforce the integrated MFA with captive portal and only when a user is successfully authenticated there he will be able to see the admin webinterface. On the admin webinterface you can then stay with username/password as the additional factor was already entered.

I didn't get what you meant by the management interfaces are behind the PAN. I use the dedicated management interface and the loopback to access the FW.  How to configure the MFA and the captive portal. Do you mean the MFA under the servers profiles.

Can you please share how to configure it.

thanks in advance

What I meant was if you have a dedicated management network which which is located behind another PaloAlto Networks Firewall and in this management network you have the management ports of your firewall(s).

 

But may be we should start with what you already have and what you want to improve. As you wrote you want MFA access for the firewall webinterface.

  1. Do you use local users or are they somewhere in a directory?
  2. What authentication method are you using right now?
  3. Do you already have MFA software which you use for other purposes (globalprotect, SAML IdP, Citrix access, ...)?
  4. Are you talking about the managemebt webinterface of one firewall (cluster) or some more firewalls?
  5. Do you already have dedicated managementnetworks, maybe for network devices or virtualization infrastructur or something else?

  1. Do you use local users or are they somewhere in a directory? both of them
  2. What authentication method are you using right now? just AD credentials
  3. Do you already have MFA software which you use for other purposes (globalprotect, SAML IdP, Citrix access, ...)? No
  4. Are you talking about the managemebt webinterface of one firewall (cluster) or some more firewalls? one cluster
  5. Do you already have dedicated managementnetworks, maybe for network devices or virtualization infrastructur or something else? No 

Our customer already has an F5 VPN solution, were they MFA once the VPN client accesses. They added a radius server which is integrated with an OTP server(Azure) and that is working. Can this be done the same for Palo Admin access and if yes how to configure it?

This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-auth...

 

  • 2 accepted solutions
  • 3319 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!