---
title: Configuring Palo Alto Global Protect for PingID multi-factor authentication
description: In the following tasks, you will configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA).
component: pingid
page_id: pingid:pingid_integrations:pid_configuring_palo_alto_global_protect_multifactor_authentication
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_palo_alto_global_protect_multifactor_authentication.html
revdate: January 30, 2024
section_ids:
  prerequisites: Prerequisites
  how-it-works: How it works
  processing-steps: Processing Steps
  setting-up-a-radius-profile-in-the-new-generation-firewall: Setting up a RADIUS profile in the New Generation Firewall
  steps: Steps
  result: Result:
  next-steps: Next steps
  creating-an-authentication-profile: Creating an authentication profile
  steps-2: Steps
  result-2: Result:
  result-3: Result:
  setting-global-protect-authentication-with-the-new-profile: Setting Global Protect Authentication with the new profile
  before-you-begin: Before you begin
  steps-3: Steps
  result-4: Result:
  next-steps-2: Next steps
---

# Configuring Palo Alto Global Protect for PingID multi-factor authentication

In the following tasks, you will configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA).

## Prerequisites

To set up PingFederate or PingFederate Bridge as a RADIUS server, see [Prerequisites: PingFederate RADIUS server](pid_prerequisites_pf_radius_server.html).

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If your end users encounter the Javascript error "Assignment to read-only properties is not allowed in strict mode" when authenticating via PingID, they should upgrade to [version 5.2.11](https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/globalprotect-known-and-addressed-issues/globalprotect-addressed-issues#id17B8E400LWR_id26d6aa0d-7c04-4538-a260-e76a0941a71f) of the GlobalProtect app. |

## How it works

The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.

![A flowchart showing the relationship between Palo Alto Global Protect, the RADIUS server, and PingID.](_images/jmh1575279616387.png)

## Processing Steps

1. When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.

2. PingFederate authenticates the user's credentials with the user repository, such as an LDAP server, as first-factor authentication.

3. Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.

4. The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user's terminal displays an error message.

## Setting up a RADIUS profile in the New Generation Firewall

To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must set up a RADIUS profile.

### Steps

1. Go to **Device → Server Profiles → RADIUS**, and click **Add**.

   #### Result:

   The following window is displayed.

   ![A screen capture of the RADIUS Server Profile window. The window shows a field for Profile Name at the top of the window with a check box for the Administrator Use Only option. In the Server Settings section after the Profile Name field, there are fields for Timeout (sect), Retries, and Authentication Protocol, which has a drop-down list. In the Servers section after the Server Settings section is a list of available servers with categories for each server including Name, RADIUS Server, Secret, and Port. At the bottom of this list are buttons for Add and Delete. The bottom of the window has buttons for OK and Cancel.](_images/fsf1575287163804.png)

2. In the **Profile Name** field, enter a name for the server.

3. In the **Server Settings** section, set the **Timeout** and **Retries**fields according to your policy.

4. From the **Authentication Protocol**list, select **PAP**.

5. In the **Servers** section, click **Add**, and then add the RADIUS server details.

### Next steps

For further information about setting the RADIUS profile, see [Configure RADIUS Authentication](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-radius-authentication).

## Creating an authentication profile

To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must create an authentication profile.

### Steps

1. Go to **Device → Authentication Profile**, and then click **Add**.

   #### Result:

   The **Authentication** tab of the **Authentication Profile** window is displayed.

   ![A screen capture of the Authentication tab in the Authentication Profile window. At the top of the window is the Name field for the entire profile. The Authentication tab includes the fields for Type; Server Profile, which has a check box under it for the option to Retrieve user group from RADIUS; User Domain; and Username Modifier.. In the Single Sign On section that follows the Username Modifier field are fields for Kerberos Realm and Kerberos Keytab. To the right of the Kerberos Keytab field is a hyperlink option to Import. The bottom of the window shows the OK and Cancel buttons.](_images/jtb1575288979951.png)

2. In the **Name** field, enter a name for the profile.

3. From the **Type** list, select **RADIUS**.

4. From the **Server Profile** list, select the RADIUS profile that you previously created.

5. In the **User Domain** field, enter your own domain name.

6. From the **Username Modifier** list, leave the default selection of **%USERINPUT%**.

7. Click **Advanced**.

   #### Result:

   The **Advanced** tab of the **Authentication Profile** window is displayed.

   ![A screen capture of the Advanced tab in the Authentication Profile window. The Advanced tab shows the Allow List section with a list of option to which the profile will apply. The bottom of the list as an Add plus sign button and a grayed out Delete minus sign button. The Account Lockout section follows the Allow List and shows the fields for Failed Attempts and Lockout Time (min). The bottom of the window shows the OK and Cancel buttons.](_images/rlb1575290084016.png)

8. In the **Allow List** section, select the group to which this authentication profile will apply. Click **OK**.

## Setting Global Protect Authentication with the new profile

Add the authentication profile to the Global Protect Portal.

### Before you begin

If you have not yet created a Global Protect Portal, see [Set Up Access to the GlobalProtect Portal](https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal).

### Steps

1. Go to **Network → Global Protect → Portals**, and open the portal you want to modify.

2. On the **Authentication** tab, choose the **SSL/TSL Service Profile** for the portal.

3. At the bottom left of **Client Authentication**, click **Add**.

4. In the **Client Authentication** window, enter a name in the **Name** field.

5. From the **Authentication Profile** list, select the authentication profile that you previously created.

   ![A screen capture of the Client Authentication window showing the fields Name, OS,and Authentication Profile. In the GlobalProtect App Login Screen section, there are the fields Username Label, Password Label, and Authentication Message. Following the GlobalProtect App Login Screen section is the drop-down option for Allow Authentication with User Credentials OR Client Certificate. The bottom of the window shows the OK and Cancel buttons.](_images/lwt1575292943170.png)

6. **Optional:** From the **Allow Authentication with User Credentials or Client Certificate** list, select **Yes (User Credentials or Client Certificate Required)**.

7. Click **OK**.

8. Go to the **Agent** tab.

9. In the **Trusted Root CA** section, set the trusted root certificate authority (CA).

   ![A screen capture of the Agent tab.](_images/dxv1575899892395.png)

10. In the **Agent** section, click **Add**.

    #### Result:

    The **Configs** window opens.

11. In the **Authentication** tab, in the **Name** field, enter a name.

12. From the **Save User Credentials** list, select **Save Username Only**.

    ![A screen capture of the Configs window. The Configs window has six tabs: Authentication, Config Selection Criteria, Internal, External, App, and Data Collection. On the featured Authentication tab, there are the fields for Name, Client Certificate, and Save User Credentials. In the Authentication Override section, there are two check boxes: Generate cookie for authentication override and Accept cookie for authentication override. There is also a field for Certificate to Encrypt/Decrypt Cookie. The last section of the Authentication tab is Components that Require Dynamic Passwords (Two-Factor Authentication). In this section, there are four check boxes: Portal, Internal gateways-all, External gateways-manual only, and External gateways-auto discovery. At the bottom of the window are the OK and Cancel buttons.](_images/rje1575293047780.png)

13. Go to the **External** tab, and in the **External Gateways** section, click **Add**.

14. In the **Name** field, enter a name for the gateway.

15. In the **Address** field, enter the fully-qualified domain name (FQDN) or IP for the agent, and select the appropriate check box. Click **OK**.

    ![A screen capture of the External Gateway window. The Name field at the top of the window says GP-Gateway. After that field is an Address option with radio buttons for FQDN or IP. In this screen capture, FQDN is selected, and in the field that follows, a URL has been entered. After that field is a list of gateway options with an Add plus sign button and a Delete minus sign button. After the list is a check box for Manual gateway selection. The bottom of the window has the OK and Cancel buttons.](_images/ddr1575293150938.png)

16. Go to the **App** tab and review the **App Configurations**.

17. Make any necessary changes, and then click **OK**.

### Next steps

Ensure that the Gateway is configured. For more information, see [Configure a GlobalProtect Gateway](https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway.html).