Palo Alto MFA for admin accounts
Last updated
Last updated
Palo Alto Networks GlobalProtect Integration
This guide explains the instructions on configuring Mirket multi-factor authentication for Palo Alto Networks Admin login .
Follow these steps to configure Palo Alto:
Select the Device tab and go to Service Profiles > Radius from the menu.
Click on Add to create a new profile.
Enter a name in the Profile Name field; for instance, "MirketRadius".
Input "60" in the Timeout field.
Input "1" in the Retries field.
Choose PAP option from the Authentication Protocol dropdown list.
Click on Add to add a Radius server, in the Servers section.
Enter a name for the Radius server; for instance "MirketGW".
Input the IP address of the server where the "Mirket Radius" is installed in the RADIUS Server field.
Input "1812" in the Port field. You should define your own port here. Then click on OK to confirm settings.
Return to the Device tab and go to Setup, from the menu. Then select the Services tab.
Click on Service Route Configuration under the Service Feature.
Check the IP address Palo Alto connect for radius request and make sure radius packets (Udp 1812 and Udp 1813) are allowed between Palo Alto and Mirket.
Select the Device tab and go to Authentication Profile, from the menu.
Then, click on Add to create a new profile.
Enter a name for the authentication profile; for instance, RadiusMirketProfile.
Choose "RADIUS" option from the Type dropdown list.
Enter a domain name in the User Domain field.
Click on the Advanced tab.
Then, choose "all" option in the Allow List.
Then, Click OK.
Then click on Commit to save settings on the top right side.
Select the Device tab and go to Administrators, from the menu.
Then, click on Add to create a new administrator account.
Enter a name for the administrator account in the Name field. In this instance, we input the name as "johnson".
Choose the previously created Authentication profile from the Authentication Profile dropdown list (e.g., RadiusMirketProfile).
Choose the "Superuser" option from the Administrator Type dropdown list.
Click on OK to confirm settings.
Click on Commit to save settings on the top right side.
To enable Mirket to receive authentication requests from GlobalProtect, follow these steps:
Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:
First, navigate to the directory C:\MirketRadius and open the config.json file.
Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration.
samName: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.
authenticationPort: Enter the authentication port value you set for the gateway. The default value is 1812.
accountingPort: Enter the accounting port value you specified for the gateway. The default value is 1813.
gatewayIp: Enter the IP address of the server where the Mirket is installed.
ipAddress: Enter the IP address of your firewall.
secretKey: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.
Once you've made the necessary changes to the config.json file, save and close it. Note: You can add multiple RADIUS clients.
After completing the configuration, restart the 'Mirket Radius Gateway Service'.
To set up multifactor authentication, make sure you have at least one user group in Mirket.
If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.
If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.
Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).
First, you should follow these steps:
Select Rules > Radius Rules.
Click on Add New.
Enter a rule name in the Name field.
Enter the rule description in the Description field.
Select the group to which the rule applies from the Group dropdown list.
Select the provider to which the rule applies from the Provider dropdown list.
Click on Save to confirm settings.
Input a shared secret key to communicate with the RADIUS server in the Secret field (Mirket Radius). In Mirket use this same secret key when .
Choose the previously created profile from the Server Profile dropdown list(e.g., MirketRadius).
