Palo Alto – GlobalProtect

Introduction

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Palo Alto SSL-VPN GlobalProtect.

Prerequisites & general issues

Prerequisites

Refer to Palo Alto-documentation how to setup your Palo Alto to act as a remote-access VPN using GlobalProtect. This guide will not explain how to create a new gateway for GlobalProtect.

A Mideye Server (any release). If there is a firewall between the Palo Alto and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Palo Alto acts as a RADIUS client towards the Mideye Server. Hence, the Palo Alto must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Decrease push-delivery failure timeout

In the current version of GlobalProtect, the RADIUS timeout is limited to 25 seconds, even if it is set to a higher value in the Palo Alto administrative interface.  To enable manual signatures with Mideye+ when the phone is unreachable, the push delivery failure timeout in Mideye has to be decreased from 17 to 11 seconds.

  1. Open Configuration-tool.
  2. Navigate to RADIUS-server and select the RADIUS-server used by the RADIUS-client. Click modify.
  3. Select the App Configuration tab.
  4. Decrease the Delivery failure timeout from 17 seconds to 11 seconds.
  5. Click OK, Save followed by Close to restart the services.
Edit delivery failure timeout in app-settings

Edit delivery failure timeout in App Configuration

Configuration

This section will explain how to add a new server profile and apply it to the GlobalProtect gateway.

Create a new Server profile

Navigate to “Device” and select “Server Profile” followed by “RADIUS”. Click “Add” and give the profile a suitable name. Change the timeout to 35 seconds and decrease retries to 1. (This is the preferred setting, but in the current version of Palo Alto the timeout will still be 25 seconds. See section Upgrade Decrease push-delivery failure timeout for a fix.)

Add a server profile

Add a server profile

Click “Add” and name the RADIUS-server. Add the IP-address to the Mideye-server and a shared secret. This shared secret must be identical on both Palo Alto and on the Mideye Server.

Add RADIUS client in Mideye Server

Open Mideye Configuration Tool and navigate to RADIUS clients. Click “New” and give the RADIUS client a suitable name. Enter IP-address for Palo Alto and type the same shared secret as in the step above. Click the LDAP Servers tab and make sure that the LDAP-profile that should be used is assigned. Click “OK”, “Save” and “Close” to restart the services.

Add Authentication Profile

From Palo Alto, navigate to “Device” and Select “Authentication Profile”. Click “Add” and give the profile a suitable name. Choose type “RADIUS” and select the the RADIUS-profile created above. Click “Advanced” and select what users that should be allowed to use the authentication profile.

Create a authentication profile

Create a authentication profile

Change authentication Profile for GlobalProtect

Navigate to “Network” followed by “GlobalProtect”. Click “Gateways” and modify your existing gateway to use the authentication profile for Mideye.

Add the authentication profile to global protect

Add the authentication profile to global protect

Troubleshooting

Check RADIUS logs

Check if anything is written to the Mideye RADIUS logs

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your Palo Alto and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.