Supported authentication
methodsThis technical integration guide describes how to integrate a Palo Alto VM-300 and Identity as a Service. Although this document specifically covers the Palo Alto KVM appliance, the information provided applies to all Palo Alto PA-VM Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your Palo Alto PA-VM Series appliance solution using Identity as a Service.
Before you begin, review the following:
Supported authentication
methodsThe Palo Alto VM-300 software supports the Identity as a Service authentication methods and authentication protocols listed in the table below. The capabilities may depend on the Identity as a Service configuration, or the setup of other 3rd party authentication resources (Active Directory, for example).
Note: The Identity as a Service RADIUS Server proxy supports additional authentication protocols and authentication methods. See the Identity as a Service documentation for more information if you are integrating different VPN devices.
| Authentication method | Notes | Supported protocols |
| Token | Identity as a Service supports response-only tokens. One-step or two-step authentication. Note: Challenge/response tokens unsupported with MSCHAPv2. |
EAP-GTC or EAP MSCHAPv2 |
OTP (One Time Password) by SMS or Token |
Two-step authentication only | EAP-GTC |
Note: The PA-VM supports only CHAP authentication methods with RADIUS.
PrerequisitesComplete the following steps before integrating your authentication system with Identity as a Service:
1. Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
2. Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.
3. Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
4. If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.
Complete the following to integrate Palo Alto Virtual Appliance with IDaaS.
Configure the
Palo Alto Web interface managementConfigure Palo Alto web management interface
1. Download the Palo Alto Virtual appliance VM-300 / version 7.0.1 from the Palo Alto Networks website.
2. Deploy the PA VM series OVA format to ESXi server or vCenter Server.
3. Select the Palo Alto VM and open the console. The login screen appears for you to enter the admin credentials.
4. Enter the default username/password (admin/admin) to log in. The welcome screen appears.
5. To enable the configuration mode, type configure.
6. Configure the network access settings for the management interface. The management interface is used for management traffic, VPN, and Radius server configurations.
7. To configure web management access, do the following:
a. At the prompt, enter set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
For Example,
set deviceconfig system ip-address 10.10.10.80 netmask 255.255.224.0 default-gateway 10.10.10.1 dns-settings servers primary 10.10.10.45
b. Press Enter.
c. At the command prompt, type commit to make the web interface accessible.
d. Open a web browser and type https://<IP Address>. The Palo Alto Dashboard page appears.
Step 2.1: Configure
LDAP as an AAA Client1. Login to the Palo Alto Web management. The Palo Alto Dashboard page appears.
2. Click the Device tab. The navigation pane appears.
3. In the navigation pane, select Server Profiles > LDAP.
4. Click Add at the bottom of the Palo Alto main page. The LDAP Server Profile page appears.
5. In the LDAP Server Profile page, do the following:
a. In the Profile Name field, enter the name of your LDAP Server hostname (for example, Active_Directory).
b. In the Server List, click Add. The LDAP Server Profile page updates for you to add information about the LDAP server.
c. In the Server list pane, do the following:
– In the Name field enter the LDAP hostname, for example, IGUser.
– In the LDAP Server field enter the IP address or host name of the Active Directory.
– In the Port field, enter 389 or enter 639 if you are using SSL connection over LDAP.
d. In the Server Settings pane, do the following:
– Select active-directory from the Type drop-down list.
– In the Base DN field, enter the domain name (for example, if your Active Directory has a domain name such as iguser.mycompany.com, then you need to specify Base DN dc=igsuser,dc=mycompany,dc=com).
– In the Bind DN field, enter the login domain name (for example, cn=administrator,cn=users,dc=iguser,dc=mycompany,dc=com).
– In the Password field, enter the Active Directory administrator account password and Confirm Password the password.
– Leave the other settings at the default values.
– Select the Require SSL/TLS secured connection check box.
e. Click OK to close the LDAP server Profile page. You are returned to the Palo Alto Device page.
6. Click Commit at the top of the Palo Alto main page.
Step 2.2: Configure
the Group Mapping Profile1. Click the Device tab and in the navigation pane to select User Identification. The User Identification page appears.
2. Click the Group Mapping Settings tab and then click Add at the bottom of the Palo Alto main page. The Group Mapping page appears.
3. Enter a Name, for example, Group_Mapping.
4. Select the LDAP Server Profile from the Server Profile drop-down list. This is the LDAP server you created in the previous steps.
5. Select the Enabled check box.
6. Leave the other settings at the default values.
7. Click the Group Include List tab and expand the Available group drop-down list.
8. Click on the group list starting with the cn= that you want to have on the firewall to use in policies.
9. Click the + sign in the middle to add them to the Included Groups list.
10. Click OK to save the changes and click OK again to close the Group Mapping page.
11. Click Commit at the top of the Palo Alto main page.
Step 2.3: Create
an authentication profile for LDAP AAA clients1. Click the Device tab and then in the navigation pane select Authentication Profile.
2. Click Add bottom of the Palo Alto main page. The Authentication Profile page appears.
3. In the Authentication Profile page, do the following:
a. In the Name field enter Identity as a Service.
b. From the Type drop-down list, select RADIUS. The Authentication Profile page updates for you to enter the RADIUS information.
c. From the Server Profile drop-down list, select the Identity as a Service profile.
d. In the User Domain field enter the domain name for LDAP server (for example, if your Active Directory has a domain name such as ldap.mycompany.com).
e. From the Username Modifier drop-down list, select %USERINPUT%.
Your settings should appear as shown below:
f. Click the Advanced tab. The Authentication Profile Advanced page appears.
g. Click Add. The following list of domain users appears.
h. Click on the groups listed starting with cn= that you want to have on the firewall to use in policies.
4. Click OK to close the Authentication Profile page and return to the Palo Alto main page.
5. Click Commit at the top of the Palo Alto main page to save the configuration changes.
Step 2.4: Create
an authentication profile for RADIUS AAA clients1. Click the Device tab and then in the navigation pane select Authentication Profile.
2. Click Add bottom of the Palo Alto main page. The Authentication Profile page appears.
3. In the Authentication Profile page, do the following:
a. In the Name field enter a name for authentication profile, for example, Identity as a Service.
b. From the Type drop-down list, select RADIUS. The Authentication Profile page updates for you to enter the RADIUS information.
c. In the Server Profile field, select the Identity as a Service profile from the drop-down list.
d. Click the Advanced tab. The Authentication Profile Advanced page appears.
e. Click Add. The following list of domain users appears.
f. Select the All check box.
4. Click OK to close the Authentication Profile page and return to the Palo Alto main page.
5. Click Commit at the top of the Palo Alto main page to save the configuration changes.
Note: The GlobalProtect portal and gateway are both configured on Ethernet1/2. The GlobalProtect portal and gateway is the physical interface where the GlobalProtect clients connect. After the clients connect and successfully authenticate to the portal and gateway, the agent establishes a VPN tunnel from its virtual adapter, which has been assigned an address in the IP address pool associated with the gateway tunnel.
Step 3.1: Create
zones for VPN1. Click the Network tab and then in the navigation pane select Zone.
2. Click Add at the bottom of the page. The Zone page appears.
3. In the Zone page, do the following:
a. In the Name field enter a name for the zone (for example, Corp-zone or Trust).
b. In the Type field select Layer3 from the drop-down list.
c. Select the Enable User Identification check box.
4. Click OK to save the zone and return to the Palo Alto main page and then click Commit.
5. Repeat this procedure to create an Untrust zone.
Step 3.2: Configure
an Ethernet interface for VPN1. Click the Network tab and then in the navigation pane select Interfaces. The Network Interfaces page appears.
2. Click the Ethernet tab and then do the following:
a. Click Ethernet1/2. The Ethernet Interface page appears.
b. From the Interface Type drop-down list, select Layer3.
c. From the Virtual Router drop-down list, select Default.
d. From the Security Zone drop-down list, select untrust.
3. Click the IPv4 tab. The IPv4 page appears.
4. In the IPv4 page, do the following:
a. Click Add. The IPv4 page updates for you to enter the IPV4 static IP address.
b. Enter the IPV4 static IP address (for example, 10.10.10.35/24).
5. Click the Advanced tab to create a management profile. The Ethernet Interface advanced options appear.
6. From the Management Profile drop-down list, select New to create a management profile. The Interface Management Profile page appears.
7. In the Interface Management Profile page, do the following:
a. In the Name field enter a name for the Management Profile.
b. In the Permitted Services list, select the services to allow through management access.
c. Click OK to return to the Ethernet Interface advanced settings page.
8. Select the Untagged Subinterfaces check box.
9. Click OK to return to the Palo Alto main page and then click Commit.
Step 3.3: Configure
a tunnel interface for the Gateway1. Click the Network tab and then in the navigation pane select Interfaces. The Interfaces page appears.
2. Click the Tunnel tab and select the tunnel 2 interface.
3. Click Add. The Tunnel Interface page appears.
4. In the Tunnel Interface page, do the following:
a. Next to Interface Name field, type a number between 1-9999 (for example, 2).
b. Click the Config tab.
c. From the Virtual Router the drop-down list, select a virtual router, for example, Default.
d. From the Security Zone drop-down list, select Trust.
5. Click OK to return to the Palo Alto main page.
6. Click Commit.
Log in to Palo Alto and create a server certificate for the interface hosting the GlobalProtect portal and Gateway using one of the following methods:
Step 4.1: Import
a certificate from Entrust1. Click the Device tab and then in the navigation pane select Certificate Management > Certificates. The Certificates page appears.
2. Select the device certificate and click Import. The Import Certificate page appears.
3. In the Import Certificate page, do the following:
a. In the Certificate File field, click Browse to select the certificate you want to import.
b. From the File Format drop-down list do one of the following:
– If you select Encrypted Private Key and Certificate (PKCS12), select the Private key resides on Hardware Security Module check box.
– If you select Base64 Encoded Certificate (PEM), you must import the key separately from the certificate.
c. If a hardware security module (HSM) stores the private key for this certificate, select the Private key resides on Hardware Security Module check box, go directly to the Passphrase field and enter and confirm the Passphrase used to encrypt the private key.
d. If the private key for this certificate is not stored on an HSM, you must do the following:
– Select the Import Private Key check box.
– Enter the Key File or Browse to select it.
– Enter and confirm the Passphrase used to encrypt the private key.
4. Click OK. The Certificates page displays the imported certificate.
Step 4.2: Generate
a certificate from Entrust 1. Click the Device tab and then in the navigation pane select Certificate Management > Certificates. The Certificates page appears.
2. Click Generate at the bottom of the page. The Generate Certificate page appears.
3. In the Generate Certificate page, do the following:
a. In the Certificate Name field, enter a certificate name (for example, TestCertificate).
b. In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
c. In the Signed By field, from the drop-down list select the root CA certificate that will issue the certificate.
d. Optionally, select an OCSP Responder from the drop-down list.
e. From the Algorithm drop-down list, select RSA.
f. Select the Number of Bits to define the certificate key length.
g. Select the Digest algorithm.
Note: From most to least secure, the options are: sha512, sha384, sha256 (default), sha1, and md5).
h. In the Expiration field, enter the number of days (default is 365) for which the certificate is valid.
i. Click Generate. The Certificate Information page appears.
4. Click Commit on Palo Alto main page.
Create a security
policy for VPNTo enable access to your internal resources, you need to create a security policy to enable traffic flow between the corp-vpn zone and the l3-trust zone.
Create a security policy for VPN
1. In the Palo Alto main page, click the Policies tab and then in the navigation pane select Security.
2. Click Add at the bottom left of the page to add a new rule. The Security Policy Rule page appears.
3. In the Security Policy Rule page, do the following to define the rule:
a. In the Name field enter a name (for example, VPN_Access).
b. Select the Source tab. The Security Policy Rule page updates for you to add as zone source.
c. Click Add at the bottom of the Source Zone. A list of source zones appears.
d. From the Source Zone drop-down list, select Corp-zone.
e. Click Any in the Source Address field to define a destination address.
4. Click the Destination tab. The Destination options page appears.
5. In the Destination options page, do the following:
a. Click Add under Destination Zone. The page updates for you to select a destination zone.
b. From the Destination Zone drop-down list select Untrust.
c. For the Destination Address, select the Any check box.
6. Click the Application tab to specify the application services you want to enable for the remote access user. The Applications option page appears.
7. In the Applications option page, click Add and search the application services (for example, HTTPS, RADIUS, LDAP) and then select the applicable services.
8. Click OK to return to the Palo Alto main page and then click Commit.
Create an SSL/TLS
profileCreate an SSL/TLS profile
1. In the Palo Alto main page, click the Device tab and then in the navigation pane select Certificate Management > SSL/TLS Service Profile.
2. Click Add. The SSL/TLS Service Profile page appears.
3. In the SSL/TLS Service Profile page, do the following:
a. In the Name field, enter a name for the SSL/TLS service profile.
b. From the Certificate drop-down list, select a certificate
c. From the Min Version drop-down list, select TLSv1.0.
d. From the Max Version drop-down list, select TLSv1.2.
4. Click OK to return to the Palo Alto main page and then click Commit.
Note: GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access for all your users, regardless of what devices they are using or where they are located. GlobalProtect Gateways provide security enforcement for traffic from GlobalProtect agents and apps and the GlobalProtect portal provides the management functions for your GlobalProtect infrastructure.
Step 7.1: Configure
a GlobalProtect Gateway1. In Palo Alto, click the Network tab and in the navigation pane, select GlobalProtect > Gateways.
2. Click Add to create a new Gateway. The Global Protect Gateway page appears.
3. In the GlobalProtect Gateway page, do the following:
a. In the Name field, enter a name for the GlobalProtect Gateway (for example, GlobalProtect_Gateway).
b. From the Interface drop-down list, select ethernet1/2.
c. From the IP Address drop-down list, select the ethernet1/2 interface IP address.
d. From the SSL/TLS Service Profile drop-down, select the SSL/TLS Service you created in the section, Creating a SSL/TLS profile.
e. From the Authentication Profile drop-down list, select Radius server Entrust IdentityGuard.
f. Optionally, customize the Authentication Message that will be shown on the login window.
4. Click the Client Configuration tab. The Client Configuration page appears.
5. In the Client Configuration page, do the following:
a. Select the Tunnel Mode check box.
b. From the Tunnel Interface drop-down list, select tunnel.20.
c. Specify the Max User as per the requirements.
d. Select the Enable IPSec check box.
e. In the GlobalProtect IPSec Crypto field, select default from the drop-down.
f. Leave other settings at the default settings.
g. Click OK to return to the GlobalProtect Gateway.
6. On the GlobalProtect Gateway page, click the Network Settings tab. The Network Settings page appears.
7. Click Add to create a new client entry. A Configs page appears for you to enter the client information.
8. In the Configs page, do the following:
a. In the Name field enter a name for your client.
b. Select a Source User (for example, Any).
c. In the OS field select Any.
9. Select the Network Settings tab. The Network Settings options page appears.
10. Click Add to create an IP Pool for clients and enter an IP address range followed by a dash (for example, 10.10.10.20-10.10.10.30).
11. In the Access Route pane, click Add to create an Access route and enter the interface subnet.
For example, if you have ethernet1/2 interface the IP address 10.10.10.35 with /24 subnet, then you need to enter here subnet IP as 10.10.10.0/24.
12. Click OK to return to the GlobalProtect Gateway page.
13. On the GlobalProtect Gateway page, click the Network Services tab.
14. For the Network Services options, do the following:
a. From the Inheritance Source drop-down list, select none.
b. From the Primary DNS drop-down list, select the DNS IP address.
c. Optionally, from the Secondary DNS drop-down list, select the IP address for the secondary DNS.
15. Click OK to return to the Palo Alto main page and then click Commit.
Step 7.2: Configure
GlobalProtect Portal1. In Palo Alto, click the Network tab and in the navigation pane, select GlobalProtect > Portals.
2. Click Add to create a new Portal. The GlobalProtect Portal page appears.
3. In the GlobalProtect Portal page, do the following:
a. In the Name field enter any name for the Portal.
b. From the Interface drop-down list, select the ethernet1/2 interface.
c. From the IP Address drop-down list, select the ethernet1/2 interface IP address.
d. From the SSL/TLS Service Profile drop-down list, select the SSL/TLS service profile you created in Creating an SSL/TLS profile.
e. From the Authentication Profile drop-down list select, IdentityGuard.
f. Optionally, in the Authentication Message field, modify the login page message.
g. Select the Client Certificate from the drop-down list.
h. Optionally, select the Certificate Profile from the drop-down list.
i. Do not select the Disable Login Page check box.
j. Leave the other settings at the default values.
4. Click the Agent Configuration tab. The Agent Configuration page appears.
5. Click Add at the bottom of the page The Configs page appears.
6. In the Configs page, do the following:
a. In the Name field, enter a portal name, for example, VPN_Portal.
b. Select the Use single sign-on (Windows only) check box.
c. From the Connect Method drop-down list, select user-logon (Always On).
d. From the Client Certificate drop-down list, select the certificate.
e. Leave other settings at the default values.
7. Click the Gateways tab. The Gateways Configs page appears.
8. In the Gateways Configs page do the following:
a. Click Add under External Gateways. The Gateway Configs page updates so that you can enter the External Gateways information.
b. In the Name field, enter a name for the gateway, for example IdentityGuard.
c. In the Address field, enter the IP address of ethernet1/2.
d. Select the Priority as Highest.
e. Select the Manual check box.
f. Click OK. You are returned to the GlobalProtect Portal page.
9. Click OK to close the GlobalProtect Portal page and return to the Palo Alto main page and then click Commit.
Configure the
static routeConfigure the static route to reach the subnets within the corporate network from where the administrator or user can access the Palo Alto admin page or Palo Alto GlobalProtect client page.
Configure the network subnet to allow traffic for all the networks and VLANs
1. Login to the Palo Alto Web management. The Palo Alto Dashboard page appears.
2. Click the Network tab and in the navigation pane, select Virtual Routers > Default.
3. Select the check box next to default. The Virtual Router Default page appears.
4. In the Virtual Router Default page, do the following:
a. Click the Static Routes tab.
b. Click Add. The Static Route page appears for you to enter the static route values.
c. In the Name field, enter a name for the static route.
d. In the Destination field, enter the network subnet IP address (for example, if you have different VLANs with network IP address 10.10.20.1/24, 10.10.30.1/24, 10.10.40.1/24…etc., then you need to enter the subnet IP address as 10.10.0.0/16).
5. Click OK to save the changes and return to the Palo Alto main page and then click Commit.
Configure the
GlobalProtect clientDownload and configure GlobalProtect Client on client PC
1. Open a Web browser on the client computer.
2. Enter the <https://my.company.com> or <https://10.10.10.35> IP address. You are presented with the GlobalProtect login window.
3. Enter the Active Directory username and password.
4. Click Logon. You are brought to the GlobalProtect Portal download page.
5. Click Download Windows GlobalProtect agent.
Note: Select the GlobalProtect Agent download appropriate for the version of Windows running on the client computer.
The following download page appears.
6. Double-click to open the downloaded GlobalProtect Agent.
7. You are prompted to install the GlobalProtect Agent. Select Yes.
Step
10.1: Add Palo Alto to Identity as a Service
Note: Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.
Integrate a RADIUS client
1. Click
> Security > Applications. The Applications
page appears.
2. Click Add. The Select an Application Template page appears.
3. Under RADIUS and VPN Integrations, click Palo Alto. The Add Palo Alto page appears.
4. Optional: Edit the Application Name.
5. Optional. Enter a Description for your application.
6. Optional. Add a custom application logo as follows:
a. Click 
next
to Application Logo. The Upload
Logo dialog box appears.
b. Click 
to select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
7. Click Next. The Setup page appears.
8. Click Add to next to Hosts to add the host name of the VPN server. The RADIUS agent receives the request on this host. The RADIUS Agent on the Gateway determines the RADIUS application the request is for based on the host name and port.
9. Enter the host name in the Host dialog box and then click OK. Repeat this step to add more host names.
10. In the Port field, enter the port on which the RADIUS agent accepts messages.
Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.
Attention: The RADIUS agent
uses the host name that sent a request and the port number that it
received the request from to determine which RADIUS application made
the request. Because of that:
–Two RADIUS applications with the same port value cannot share any
host names.
–Two RADIUS applications that have one or more matching host names
must have different port values.
11. In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.
12. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.
13. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.
14. In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.
15. In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.
16. In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.
17. From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.
18. Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.
19. Optional:
Enable the Authentication Settings.
Select Enable Push Authentication Fallback if you want to authentication to fallback to another authenticator in the event of a failure. If required, set the Push Authentication Fallback Timeout to the number of minutes before the push authentication times out.
Select When authenticating the user will be asked to select their second-factor authenticator. When selected, after the user responds to the first-factor challenge, they are prompted to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.
The following is a list of supported strings matched to the authentication types:
Grid: grid
Knowledge-based Authentication: kba
One-time password: email, sms, voice
Smart Credential Push: scpush
Temporary Access Code: tac
Token: token
Token push: push
Select Indicate if requests must include the message-authenticator attribute for incoming messages to include the message-authenticator attribute for incoming messages.
Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
Select Remove domain from user ID for incoming requests to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format domain\username and the user ID in IDaaS is in the format username.
Select Indicate if Active Directory password authentication requests are handled by the same Gateway Instance that initiated the request to require that Active Directory password authentication and change requests that are initiated as part of the RADIUS authentication are handled by any Gateway Instance in the same Gateway cluster that initiated it. If disabled, the request is handled by any Gateway Instance.
Select Enable one-step multi-factor authentication. When enabled, the user enters their user ID and then their password and token response in the password field. If you select this option, second factor authenticators available in the resource rule are limited to token and temporary access code.
Enter the One-step multi-factor authentication security token length. This is the length of the token or temporary access code response if you enable one-step multi-factor authentication.
20. Optional.
Add Response Attributes. Response attributes are
returned to the RADIUS application after successful authentication.
Use this setting to configure RADIUS attributes to return information
such as the user's group information to the VPN server.
When adding response attributes, you optionally add group filters. For example:
Example:
Users in IDaaS may belong to one of the following groups CANADA,
US, UK, FRANCE.
The VPN server wants the FilterID attribute returned from the IDaaS
RADIUS agent to be the value NA or EUROPE, depending on whether
the user is in NA (Canada, US) or Europe (UK, France).
To do this, use a RADIUS attribute filter for the FilterID attribute
with a Groups value with the following filters:
- match CANADA, replace NA
- match US, replace NA
- match UK, replace EUROPE
- match FRANCE, replace EUROPE
Set the Response Attributes as follows:
Click
Add. The Add
a Response Attribute
dialog box appears.
Select the RADIUS Attribute ID from the drop-down list. The option you select depends on your VPN vendor.
Select the Value Type from the drop-down list.
To return a static value specific in the RADIUS attribute definition, select Static and enter a Value in the field and then click Add.
To return the user’s group membership, select Group and then optionally do the following:
Click Add to add filters.
Enter the Match and the Replace attribute filters.
Click Add to add more attribute filters.
If you add multiple filters, you can drag and drop them in order of preference.
Select Stop after matching filter if you only want one the filter to return one value. Using the example above, if you want NA to have preference over Europe, make sure to list Canada and US in the list of filters.
Multiple Values Per Attribute, enter the Value Separator and then click Add.
Note: If a user belongs to more
than one group, you can either add a separate attribute to your
RADIUS response for each group or you can combine all of the groups
into a single attribute. For example, if the user belongs to G1,G2,G3
then you would
- return a RADIUS response with three attributes
OR
- return a RADIUS response with one attribute and a value like
“G1,G2,G3” where the , is defined in the Value Separator setting
or a value like “G1 G2 G3” where the Value Separator is defined
as a space.
Attention: The default group separator is a space. If you have group names that are separated by a space, use another separator, such as a comma.
Repeat these steps to add more response attributes.
21. Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.
a. Select EAP Enabled to allow the RADIUS application to accept EAP messages.
– When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.
– When disabled, incoming authentication requests are processed by the RADIUS application as a standard RADIUS authentication request (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.
b. Select the EAP Protocol from the drop-down list. The options are PEAPv0 with MS-CHAPv2 and PEAPv1 with GTC.
This setting defines the type of EAP authentication protocol that is performed on EAP requests received by the RADIUS application. Consult the configuration requirements of your VPN server to determine which EAP protocol to select.
c. Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication. The setting is enabled by default.
d. Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.
e. Leave the Minimum TLS Version, Maximum TLS Version and Allow Weak Ciphers at the default settings unless you have an older VPN and need to configure these settings to allow older versions of TLS or weaker ciphers to interoperate with older VPN servers that do not support the latest versions.
22. Configure the Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are only required for backwards compatibility.
a. Select Token OTP Only, Password with second-factor, or No first-factor as the Authentication Type. This setting defines the level of authentication required to access a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.
Note: MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.
23. Click Submit.
Step 10.2:
Protect Palo Alto with a resource rule● Resource rules for RADIUS applications only include the Date / Time, Geolocation and Source IP Address condition restriction.
● The Authentication Decision steps that you can select for a RADIUS application resource rule depend on whether the RADIUS application uses EAP RADIUS authentication.
● If the settings of a RADIUS application on Identity as a Service are modified so that the application uses EAP RADIUS authentication, or the type of EAP protocol used is changed, the resource rule associated with the RADIUS application is automatically updated.
● RADIUS applications with no EAP support the following second-factor authenticators: knowledge-based authentication, temporary access code, one-time password, grid, hardware/software token, token push, and smart credential push.
● RADIUS applications with RADIUS MSCHAPv2 support only temporary access code and hardware/software token second-factor authenticators.
● When creating a resource rule for a RADIUS application, you can select EXTERNAL+no second-factor.
● RADIUS applications with RADIUS GTC support the following second-factor authenticators: software/hardware token, one time password, grid, temporary access code, knowledge-based authentication.
Create a resource rule to protect access to a RADIUS application
1. Log in to your Identity as a Service administrator account.
2. Click
> Security
> Resource Rules. The Resource Rules List
page appears.
3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.
4. Enter a Rule Name and Rule Description for the resource rule.
5. In the Groups list, select the group or groups of users restricted by the resource rule.
These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.
Attention: You must maintain the default of all groups if you want to allow external authentication and bypass second-factor authentication for users who do not already exist in Identity as a Service. External Authentication without second-factor is only available to low risk users of RADIUS applications that support External Authentication.
6. Click Next. The Authentication Conditions Settings page appears.
7. If you do not Enable Advanced Risk Factors, do the following:
a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.
b. Click Submit to save the Resource Rule.
8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.
9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.
10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.
11. For each Advanced Risk Factor, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.
12. Click Date/Time to set the conditions as follows:
a. Select one of the following:
– Allow Date/Time to set when a user can access the application.
– Deny Date/Time to set when the user cannot access the application.
The Date/Time Context Condition Settings appear.
b. Select the Condition Type:
– Specific Date Range Condition—Allows or denies access to the application during a select period of days.
– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.
– Clear Selection—Clears existing Date and Time conditions.
c. Set the Condition Type settings, as follows:
i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.
ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.
iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.
d. Click Save to return to the Authentication Conditions Settings page.
13. Click Geolocation to set the Location Condition Settings, as follows:
a. Select Allow or Deny to create an allowed or denied country list.
b. From the Selected Countries drop-down list, select the countries to add or deny access to the application. Repeat until you have added all the desired countries to the list.
c. Select Allow Anonymous IP Address to increase the risk of users authenticating from an anonymous IP.
d. Click Save to save to return to the Authentication Conditions Settings page.
14. Click Source IP Address. The IP Address Risk Setting dialog box appears. Do one of the following:
a. Select Custom and add the required IP Allowed Addresses and IP Denied Addresses.
b. Select IP List Address and select the IP List to allow or deny.
c. Select None to not restrict any IP addresses.
d. Click OK to return to the Authentication Conditions Settings.
15. Define the Location History / Known Locations and Travel Velocity conditions.
The Risk-Based Authentication (RBA) settings of your Identity as a Service account define the location history and travel velocity conditions. See Manage risk-based authentication settings for more information.
16. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:
● Click the dot next to the condition setting and slide the risk scale to the risk percentage
-or-
● Click the 0% and enter the risk points and then click OK.
The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.
17. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:
a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.
b. Enter the risk percentage.
c. Click OK.
18. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.
19. Click Submit to create the resource rule.
Step 11.1:
Test GlobalProtect VPN for one-step authentication1. Go to the client PC, double-click to open the GlobalProtect Agent.
Note: It is assumed that you have already deployed GlobalProtect Agent software to client computer as outlined in the section, Deploy and configure the GlobalProtect Client.
2. In the Username field, enter the Identity as a Service username.
3. In the Password field, enter the Identity as a Service token response.
4. Click Apply.
5. In the GlobalProtect page, select File > Enable.
6. A Server Certificate page appears.
7. Click Continue. The GlobalConnect Welcome page appears.
8. Select File > Disable to disconnect the VPN session.
Step 11.2:
Test GlobalProtect for two-step authentication1. Go to the client PC, double-click to open the GlobalProtect Agent.
Note: It is assumed that you have already deployed GlobalProtect Agent software to client computer as outlined in the section, Deploying and configuring GlobalProtect Client.
2. In the Username field, enter the Identity as a Service username.
3. In the Password field, enter the Identity as a Service token response.
4. Click Apply.
5. In the GlobalProtect page, select File > Enable.
6. Click Continue. You are prompted to enter the second-factor authentication response.
7. Enter the second-factor authentication response. The challenge depends on the type of second-factor authentication you have configured in Identity as a Service.
Once you are connected, the GlobalProtect Welcome page appears.
8. Select File > Disable to disconnect the VPN connection.
Step 11.3:
Test Global Protect using Entrust push authenticationTest using the Entrust Identity app for push authentication
1. Log in with the correct first-factor username/password on your RADIUS client.
2. Open the Entrust Identity app on a mobile device.
3. Unlock (log in) using the identity you want to use to respond to the request.
4. Tap Actions.
5. Review the transaction summary details.
6. Tap Confirm