Configure Palo Alto GlobalProtect Gateway for MFA

Step 1: Add the Duo RADIUS server

  1. Log in to the Palo Alto administrative interface.
  2. Click on the Device, and navigate to Server Profiles, then RADIUS.

2. Click the Add button to add a new RADIUS server profile.

3. Enter the information such as Name, Timeout, Retries, Authentication Protocol.

4. Under the “Servers” section, click the Add button to add a RADIUS server, and enter the information such as Name, RADIUS SERVER IP, SECRET, PORT.

Step 2: Add an Authentication Profile

  1. On the Device, navigate to Authentication Profile.

2. Click the Add button to add a new authentication profile, and enter the following information:

3. Enter the information such as Name, Type, Server Profile, User Domain, Username Modifier.

4. Click the Advanced tab. In the “Allow List” section click the drop-down and select the all group (or, if you want to restrict which users may authenticate with the Duo profile, select the group of your choice).

5. Click OK to save the authentication profile.

Step 3: Configure GlobalProtect Gateway

  1. On the Network tab, navigate to GlobalProtect then Gateways.

2. Click on Add to create a Gateway.

3. Enter the information such as Name, Interface, IP Address Type, IPv4 Address.

4. Click on the Authentication and then Add to add the Duo authentication profile created before.

5. Click OK (twice if you also enabled authentication override cookies) to save the GlobalProtect Gateway settings.

Step 4: Configure GlobalProtect Portal

If the GlobalProtect Portal is configured for Duo two-factor authentication, users may have to authenticate twice when connecting the GlobalProtect Gateway Agent. For the best user experience, Duo recommends leaving your GlobalProtect Portal set to use LDAP or Kerberos authentication, or if you do add Duo to your GlobalProtect Portal that you also enable cookies for authentication override on your GlobalProtect portal to avoid multiple Duo prompts for authentication when connecting.

Note that if Duo is applied only at the GlobalProtect Gateway then users may not append a factor or passcode to their password when logging in.

If your organization would like to protect the GlobalProtect Portal with Duo follow these instructions.

  1. Click on the Network tab, navigate to GlobalProtect then Portal.

2. Click on your configured GlobalProtect Portal to bring up the properties window.

3. On the Authentication tab of the GlobalProtect Portal Configuration, select the Duo authentication profile created before.

Step 5: Commit to save the Settings and test

  1. Commit

2. Test

Please view this step by step video:

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com