Introduction
The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Palo Alto SSL-VPN GlobalProtect.
Prerequisites & general issues
Prerequisites
Refer to Palo Alto-documentation how to setup your Palo Alto to act as a remote-access VPN using GlobalProtect. This guide will not explain how to create a new gateway for GlobalProtect.
A Mideye Server (any release). If there is a firewall between the Palo Alto and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Palo Alto acts as a RADIUS client towards the Mideye Server. Hence, the Palo Alto must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Decrease push-delivery failure timeout
In the current version of GlobalProtect, the RADIUS timeout is limited to 25 seconds, even if it is set to a higher value in the Palo Alto administrative interface. To enable manual signatures with Mideye+ when the phone is unreachable, the push delivery failure timeout in Mideye has to be decreased from 17 to 11 seconds.
- Open Configuration-tool.
- Navigate to RADIUS-server and select the RADIUS-server used by the RADIUS-client. Click modify.
- Select the App Configuration tab.
- Decrease the Delivery failure timeout from 17 seconds to 11 seconds.
- Click OK, Save followed by Close to restart the services.
Edit delivery failure timeout in App Configuration
Configuration
This section will explain how to add a new server profile and apply it to the GlobalProtect gateway.
Create a new Server profile
Navigate to “Device” and select “Server Profile” followed by “RADIUS”. Click “Add” and give the profile a suitable name. Change the timeout to 35 seconds and decrease retries to 1. (This is the preferred setting, but in the current version of Palo Alto the timeout will still be 25 seconds. See section Upgrade Decrease push-delivery failure timeout for a fix.)
Add a server profile
Click “Add” and name the RADIUS-server. Add the IP-address to the Mideye-server and a shared secret. This shared secret must be identical on both Palo Alto and on the Mideye Server.
Add RADIUS client in Mideye Server
Open Mideye Configuration Tool and navigate to RADIUS clients. Click “New” and give the RADIUS client a suitable name. Enter IP-address for Palo Alto and type the same shared secret as in the step above. Click the LDAP Servers tab and make sure that the LDAP-profile that should be used is assigned. Click “OK”, “Save” and “Close” to restart the services.
Add Authentication Profile
From Palo Alto, navigate to “Device” and Select “Authentication Profile”. Click “Add” and give the profile a suitable name. Choose type “RADIUS” and select the the RADIUS-profile created above. Click “Advanced” and select what users that should be allowed to use the authentication profile.
Create a authentication profile
Change authentication Profile for GlobalProtect
Navigate to “Network” followed by “GlobalProtect”. Click “Gateways” and modify your existing gateway to use the authentication profile for Mideye.
Add the authentication profile to global protect
Troubleshooting
Check RADIUS logs
Check if anything is written to the Mideye RADIUS logs
Mideye Server\log\radius-messages.log
If nothing is logged, verify that udp/1812 is allowed between your Palo Alto and Mideye Server.
Contact Mideye support
For further support please contact Mideye support, support@mideye.com, +46854514750.