GlobalProtect with Azure MFA setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect with Azure MFA setup

L0 Member

Good Morning Everyone,

Has anyone had any luck setting up MFA on the Palo Alto with Global Protect with Microsoft Azure MFA (Hybrid) I tried opening a ticket with the support team and they said they had no clue how to setup but could support it if broken and told me a "Sales" Engineer would reach out to me sometime that day. That was 4 business days ago. 

 

I have been reading articles but have not had luck with them. Anyone have an Idiots guide to setting up Microsoft Azure MFA with Global protect?

 

PA Version: 8.1.15

Global Protect Client: 5.1.1

1 accepted solution

Accepted Solutions

@JasonMatherly 

I thought about that however As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius 

I did talk to one of the local Sales engineers and they recommended the following https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

This is a good solution to bring us online and meet the short requirements I have for deployment however because we are in a hybrid Azure it does rely on the Windows Authentication Passthrough servers to be 100% functional. If they go down we cant sign in. fun times. I am still working on the radius part but at least now i have a backup plan to bring us online.

 

View solution in original post

3 REPLIES 3

L0 Member

we have global protect deployed with azure mfa authentication. its not fool proof as occasionally the firewall does not even try to send the auth requests out via the specified interface, for that we have to modify our authentication server profile, commit the change, and then magically the firewall starts sending the authentication requests out again. we setup a job with octopus that makes api calls to see if we have a certain number of unique login failures in a specified amount of time to do this programmatically.

that all being said, just setup a new RADIUS server profile and use that as your authentication source for the 3rd party mfa to work.

edit- apparently they have a KB article for this now as well for your step by step: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkkCAC

@JasonMatherly 

I thought about that however As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-dir-radius 

I did talk to one of the local Sales engineers and they recommended the following https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

This is a good solution to bring us online and meet the short requirements I have for deployment however because we are in a hybrid Azure it does rely on the Windows Authentication Passthrough servers to be 100% functional. If they go down we cant sign in. fun times. I am still working on the radius part but at least now i have a backup plan to bring us online.

 

L2 Linker

In case you are deploying this setup for Linux clients, you might want to consider upgrading to the Global Protect 5.1.6 version. GPC-11090 Fixed an issue where, when the GlobalProtect app was installed on Linux, users were not able to authenticate through SAML authentication when Microsoft Azure was used as the identity provider (ldP).

  • 1 accepted solution
  • 13641 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!