Using two- or multifactor authentication on your Remote Access systems is a must. Every week, millions of user credentials are stolen — credentials that can potentially lead to unauthorized access into your network.
The GlobalProtect VPN allows for a large variety of configurations to meet the customer's individual needs. One popular solution for employing a multifactor authentication solution is implementing an LDAP profile for your GlobalProtect Portal and combining it with a RADIUS profile on the GlobalProtect Gateway.
This article will demonstrate how to configure a Palo Alto Networks NGFW, running PAN-OS 7.0.x with a basic LDAP/RADIUS setup, for multifactor authentication. (The following assumes you are familiar with basic Server Profiles and Authentication Profiles and have an existing GlobalProtect Portal/Gateway in place.)
Adding external authentication to your GlobalProtect setup is done through Authentication Profiles, which contains a Server Profile.
Since GlobalProtect is made up of two primary components — the GlobalProtect Portal and Gateway — we’ll be employing LDAP for the Portal and RADIUS for the Gateway. One of the primary reasons for this is that if you're using a RADIUS server compatible with Challenge-Response (you should!), this will prevent a double login screen for the user.
From the web admin interface, start by creating a RADIUS and an LDAP Server Profile.
When creating the Server Profile, you want to make sure that the IP and RADIUS shared secret matches the configuration for your RADIUS server.
If you are using User-Identification on your firewall (you should!), you will probably already have a LDAP server profile in place that you can use. If not, add a new LDAP profile:
With Server Profiles for RADIUS and LDAP in place, they need to be associated with Authentication Profiles:
After configuring Authentication Profiles, you can now add the LDAP Authentication Profile to the GlobalProtect Portal:
And the RADIUS profile to the GlobalProtect Gateway:
This concludes the most basic LDAP/RADIUS GlobalProtect implementation. Your users will now authenticate through both LDAP and RADIUS when connecting with the GlobalProtect VPN.
About the Author
Benjamin Lycke Henriksen currently works as a senior technical support engineer for SMS PASSCODE in Copenhagen, Denmark. He has worked in the IT industry for 10 years and has been working with Palo Alto Network firewalls for four years. Benjamin is also the chapter leader for the Fuel Denmark Chapter.
Want other tips and insights from Fuel members? Join the conversation in the Discussion Forums.