PingID Administration Guide

Configuring Palo Alto Global Protect for PingID multi-factor authentication

In the following tasks, you will configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA).

Prerequisites

To set up PingFederate or PingFederate Bridge as a RADIUS server, see Prerequisites: PingFederate RADIUS server.

If your end users encounter the Javascript error "Assignment to read-only properties is not allowed in strict mode" when authenticating via PingID, they should upgrade to version 5.2.11 of the GlobalProtect app.

How it works

The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.

A flowchart showing the relationship between Palo Alto Global Protect, the RADIUS server, and PingID.

Processing Steps

  1. When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.

  2. PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.

  3. Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.

  4. The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user’s terminal displays an error message.

Setting up a RADIUS profile in the New Generation Firewall

To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must set up a RADIUS profile.

Steps

  1. Go to Device → Server Profiles → RADIUS, and click Add.

    Result:

    The following window is displayed.

    A screen capture of the RADIUS Server Profile window. The window shows a field for Profile Name at the top of the window with a check box for the Administrator Use Only option. In the Server Settings section after the Profile Name field, there are fields for Timeout (sect), Retries, and Authentication Protocol, which has a drop-down list. In the Servers section after the Server Settings section is a list of available servers with categories for each server including Name, RADIUS Server, Secret, and Port. At the bottom of this list are buttons for Add and Delete. The bottom of the window has buttons for OK and Cancel.
  2. In the Profile Name field, enter a name for the server.

  3. In the Server Settings section, set the Timeout and Retriesfields according to your policy.

  4. From the Authentication Protocollist, select PAP.

  5. In the Servers section, click Add, and then add the RADIUS server details.

Next steps

For further information about setting the RADIUS profile, see Configure RADIUS Authentication.

Creating an authentication profile

To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must create an authentication profile.

Steps

  1. Go to Device → Authentication Profile, and then click Add.

    Result:

    The Authentication tab of the Authentication Profile window is displayed.

    A screen capture of the Authentication tab in the Authentication Profile window. At the top of the window is the Name field for the entire profile. The Authentication tab includes the fields for Type; Server Profile, which has a check box under it for the option to Retrieve user group from RADIUS; User Domain; and Username Modifier.. In the Single Sign On section that follows the Username Modifier field are fields for Kerberos Realm and Kerberos Keytab. To the right of the Kerberos Keytab field is a hyperlink option to Import. The bottom of the window shows the OK and Cancel buttons.
  2. In the Name field, enter a name for the profile.

  3. From the Type list, select RADIUS.

  4. From the Server Profile list, select the RADIUS profile that you previously created.

  5. In the User Domain field, enter your own domain name.

  6. From the Username Modifier list, leave the default selection of %USERINPUT%.

  7. Click Advanced.

    Result:

    The Advanced tab of the Authentication Profile window is displayed.

    A screen capture of the Advanced tab in the Authentication Profile window. The Advanced tab shows the Allow List section with a list of option to which the profile will apply. The bottom of the list as an Add plus sign button and a grayed out Delete minus sign button. The Account Lockout section follows the Allow List and shows the fields for Failed Attempts and Lockout Time (min). The bottom of the window shows the OK and Cancel buttons.
  8. In the Allow List section, select the group to which this authentication profile will apply. Click OK.

Setting Global Protect Authentication with the new profile

Add the authentication profile to the Global Protect Portal.

Before you begin

If you have not yet created a Global Protect Portal, see Set Up Access to the GlobalProtect Portal.

Steps

  1. Go to Network → Global Protect → Portals, and open the portal you want to modify.

  2. On the Authentication tab, choose the SSL/TSL Service Profile for the portal.

  3. At the bottom left of Client Authentication, click Add.

  4. In the Client Authentication window, enter a name in the Name field.

  5. From the Authentication Profile list, select the authentication profile that you previously created.

    A screen capture of the Client Authentication window showing the fields Name, OS,and Authentication Profile. In the GlobalProtect App Login Screen section, there are the fields Username Label, Password Label, and Authentication Message. Following the GlobalProtect App Login Screen section is the drop-down option for Allow Authentication with User Credentials OR Client Certificate. The bottom of the window shows the OK and Cancel buttons.
  6. Optional: From the Allow Authentication with User Credentials or Client Certificate list, select Yes (User Credentials or Client Certificate Required).

  7. Click OK.

  8. Go to the Agent tab.

  9. In the Trusted Root CA section, set the trusted root certificate authority (CA).

    A screen capture of the Agent tab.
  10. In the Agent section, click Add.

    Result:

    The Configs window opens.

  11. In the Authentication tab, in the Name field, enter a name.

  12. From the Save User Credentials list, select Save Username Only.

    A screen capture of the Configs window. The Configs window has six tabs: Authentication, Config Selection Criteria, Internal, External, App, and Data Collection. On the featured Authentication tab, there are the fields for Name, Client Certificate, and Save User Credentials. In the Authentication Override section, there are two check boxes: Generate cookie for authentication override and Accept cookie for authentication override. There is also a field for Certificate to Encrypt/Decrypt Cookie. The last section of the Authentication tab is Components that Require Dynamic Passwords (Two-Factor Authentication). In this section, there are four check boxes: Portal, Internal gateways-all, External gateways-manual only, and External gateways-auto discovery. At the bottom of the window are the OK and Cancel buttons.
  13. Go to the External tab, and in the External Gateways section, click Add.

  14. In the Name field, enter a name for the gateway.

  15. In the Address field, enter the fully-qualified domain name (FQDN) or IP for the agent, and select the appropriate check box. Click OK.

    A screen capture of the External Gateway window. The Name field at the top of the window says GP-Gateway. After that field is an Address option with radio buttons for FQDN or IP. In this screen capture, FQDN is selected, and in the field that follows, a URL has been entered. After that field is a list of gateway options with an Add plus sign button and a Delete minus sign button. After the list is a check box for Manual gateway selection. The bottom of the window has the OK and Cancel buttons.
  16. Go to the App tab and review the App Configurations.

  17. Make any necessary changes, and then click OK.

Next steps

Ensure that the Gateway is configured. For more information, see Configure a GlobalProtect Gateway.