Palo Alto SSL VPN Integration

Palo Alto Networks GlobalProtect Integration

General Overview

This guide explains the instructions on configuring Mirket multi-factor authentication for Palo Alto Networks GlobalProtect. Prior configuration and deployment of GlobalProtect are required before setting up MFA with Mirket.

Preparation Steps

Before proceeding with these procedures, ensure the following:

• You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).

• You've completed the initial setup (included vpn settings) of your Palo Alto NGFW.

• You've installed Palo Alto GlobalProtect on your client PC.

Configuring Palo Alto

Follow these steps to configure Palo Alto:

RADIUS Service Configuration

• Select the Device tab and go to Service Profiles > Radius from the menu.

• Click on Add to create a new profile.

Enter a name in the Profile Name field; for instance, "MirketRadius".

• Input "60" in the Timeout field.

• Input "1" in the Retries field.

• Choose PAP option from the Authentication Protocol dropdown list.

• Click on Add to add a Radius server, in the Servers section.

• Enter a name for the Radius server; for instance "MirketGW".

• Input the IP address of the server where the "Mirket Radius" is installed in the RADIUS Server field.

• Input a shared secret key to communicate with the RADIUS server in the Secret field (Mirket Radius). In Mirket use this same secret key when configuring a RADIUS client resource.

• Input "1812" in the Port field. You should define your own port here. Then click on OK to confirm settings.

• Return to the Device tab and go to Setup, from the menu. Then select the Services tab.

• Click on Service Route Configuration under the Service Feature.

• Check the IP address Palo Alto connect for radius request and make sure radius packets (Udp 1812 and Udp 1813) are allowed between Palo Alto and Mirket.

Authentication Profile Configuration

• Select the Device tab and go to Authentication Profile, from the menu.

• Then, click on Add to create a new profile.

• Enter a name for the authentication profile; for instance, RadiusMirketProfile.

• Choose "RADIUS" option from the Type dropdown list.

• Choose the previously created RADIUS service profile from the Server Profile dropdown list(e.g., Mirket Radius profile).

• Enter a domain name in the User Domain field. If the username formats used in policies are domain\username then select '%USERDOMAIN%\%USERINPUT%', in the Username Modifier.

• Click on the Advanced tab.

• Then, choose "all" option in the Allow List.

• Then, click on OK to confirm settings.

• Go to Authentication Sequence, from the menu. Then click on Add to create a new sequence.

• Enter a name for the authentication sequence; for instance, VPN_Authentication_Sequence.

• Then click on the Add option to add the authentication profile that you created from the Authentication Profiles dropdown list.

• Priorities of the profiles progress from top to bottom. To move a profile upwards, hover over it, hold it, and drag it upwards. The same process is applied to move the rule profile downwards.

• Then click on OK to confirm settings.

GlobalProtect Portal Configuration

• Select the Network tab and go to GlobalProtect > Portals, from the menu. Edit Portal Configuration and go to the Agent tab.

• Check the "Generate cookie for authentication override" checkbox.

• Click on OK to confirm settings.

GlobalProtect Gateway Configuration

• Select the Network tab and go to GlobalProtect > Gateways, from the menu. Go to the Agent Tab.

• Select the Agent tab and then select the Client Settings tab.

• Edit client settings. Then select the Authentication Override tab.

• Check the "Accept cookie for authentication override" checkbox.

• In the Cookie Lifetime section, choose the "Minutes" option from the dropdown list and input "1".

• Choose the certificate that you created from the Certificate to Encrypt/Decrypt Cookie dropdown list.

• Click on OK to confirm settings.

• Make sure you allow VPN users in the firewall policy.

• Click on OK.

• Access the administration shell of the PA device via SSH and activate the transmission of the PaloAlto-Client-Source-IP attribute for client IP addresses by comment below.

set authentication radius-vsa-on client-source-ip

• Then click on Commit to save settings on the top right side.

Configure Mirket

To enable Mirket to receive authentication requests from GlobalProtect, follow these steps:

Add Palo Alto as a Resource in Mirket with Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway from the Configuration > Gateway. To add a Radius Gateway to the Mirket, follow these steps:

• Go to Configuration > Gateway and click on the Add Radius Gateway button.

• On the displayed screen, enter a name for your Radius Gateway in the Name field.

• Enter the SAM value of the gateway in the Sam Value field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls.

• Enter the IP address of the server where the gateway is installed in the Host IP Address field.

• Enter the authentication port value you set for the gateway in the Auth Port field. The default value is 1812.

• Enter the accounting port value you specified for the gateway in the Acc Port field. The default value is 1813. Note: After completing these fields, you must create a RADIUS client for the newly created RADIUS Gateway.

• Click on the Add Radius Client option at the bottom of the displayed screen.

• Enter a name for your Radius Client in the Radius Client field.

• Enter the IP address of the client(firewall) that will communicate with the gateway in the IP Address field.

• Enter the secret key that the client will communicate with the gateway in the Secret Key field.

• Click on the Save button to confirm the settings.

Configuring Radius Gateway

• After creating the Radius Gateway, click on the Download > Config from the menu on the right side of the gateway.

• This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

• Replace the existing config file in the "C:\MirketRadius" directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in "C:\MirketRadius".

• Then, restart the Mirket Radius Service.

You can check whether the Radius Gateway you created is active by navigating to Configuration > Gateway.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user or group in Mirket.

If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group.

• Create a Local Group to add users manually.

• Add local Mirket users manually.

If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. Note: Before proceeding, ensure that you have installed Mirket LDAP Gateway. (Refer to create LDAP Gateway.)

• Create an External Source to include LDAP users.

• Sync users from an external user database.

Add a Radius Rule to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

• Go to Configuration > Radius Rules.

• Click on the Add Radius Rule button.

• On the displayed screen, enter a name for the rule in the Name field.

• Enter the rule description in the Description field.

• Select the Radius Client to which the rule will apply from the Radius Client dropdown list.

• Enter the source IP addresses to which the rule will apply in the Source Adress field.

• Select the source countries where the rule will be applied from the Source Country dropdown list.

• Click on the Next button.

• Specify whether the rule will be applied to a user or a group.

• After specifying, click on the Next button.

• Select the users or groups to which the rule will apply. Transfer your selections to the Selected Users/Groups table by clicking the arrow icon next to the Available Users/Groups table.

• Click on the Next button.

• Select the time period when the rule will run.

  • All: The rule will run every day.

  • Recurring: The rule will run on the specified days and times.

  • One Time: The rule will run within the date range you specify.

• After selecting, click on the Next button.

• Specify whether the user or group will be granted access based on the rule in the Action field.

• Select the authentication provider to which the rule will apply from the Auth Method dropdown list.

• Click on Save to confirm the settings.

Test the Integration

To validate the integration between Mirket MFA and your Palo Alto GlobalProtect, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

• To begin, download and install the GlobalProtect App. For guidance, please refer to https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide.

• Launch the GlobalProtect App.

• Input the IP address of your Palo Alto ethernet interface. Then click on Connect.

• Enter your Mirket username in the Username field.

• Input your password in the Password field.

• Click on Connect. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.

Related Topics

Palo Alto MFA for Admin Accounts

Radius Clients

Radius Rules

Local Group Configuration

Local Users Configuration

LDAP Group Configuration

LDAP Users