Captive Portal Authentication using DUO

19287

Created On 08/14/20 21:25 PM - Last Modified 10/07/20 22:04 PM

Captive Portal

Authentication

8.1

9.0

9.1

9.2

10.0

GlobalProtect

PAN-OS

Objective

This document is designed to help firewall administrators to configure captive Authentication along with Two Factor authentication using DUO authentication.

Environment

PAN OS V8.1+
DUO MFA.

Procedure

Configure Multi Factor Authentication Server Profile under Device > Server Profiles, this profile defines how firewalls will connect and communicate with MFA providers. In our case we use DUO, so it requires us to get the API Host, Integration Key, and Secret key from DUO protected Application.

Note: More detail about Cisco DUO application protection use this link.

Note: The certificate that is required in Multi-Factor Profile is the CA root certificate that firewall uses to validate the MFA server certificate when setting up a secure connection to the server, this certificates are existed in the MFA vendor website and Root CA Vendor website as below:

Download the certificate(s) and import it in the firewall certificate tab as below:

Create a certificate profile and add the CA root Certificate(s) as needed, then use this profile in the Multi-Factor Authentication Server profile.

Create an Authentication Profile that will be used to authenticate captive portal users, in this profile we will add two authentication steps, the first authentication will be usual authentication using either Local, RADIUS, LDAP or any other type of authentication, in this example we used local authentication.

Then we need to link the Multi Authentication server profile under Factors tab that will enforce this authentication to be used as second authentication.

This image shows Authentication Profile creation in PAN OS

Create Authentication Enforcement object which specifies the method and service to be used for authenticating end users who access your network resources

this image shows Authentication Enforcement configuration

Under Authentication Policy create a rule that match the traffic to invoke the authentication method and service and apply the authentication enforcement as below:

this image shows authentication Policy configuration

Generate a traffic that matches the rule in the authentication Policy, the firewall then redirect the use to the captive portal web page, the user needs to enter his credentials for the first authentication as below:
1. Generate traffic that matches the rule in the authentication

this image shows Login test with first authentication

Then the firewall will request the MFA vendor to authenticate the user using the configured procedure like OTP or Automatic Push on the DUO Mobile App.

this image shows second authentication during login
this image shows DUO mobile push on message

Once the user passes the second authentication then the user will be allowed to access the intended resource.

this image shows User is able to access his required resources

To Monitor the authentication results, you can go to Monitor > Authentication to check the first and second authentication trial results, the subtype tab will define the authentication type used.

this image show Monitor Authentication

Additional Information

Additional Information:

Palo Alto administration guide:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-policy/configure-authentication-policy.html#id0ff4d899-df86-4f6f-905e-e7b86c938203

DUO and Palo Alto configuration:
https://duo.com/docs/paloalto

Captive Portal Authentication using DUO

Objective

Environment

Procedure

Additional Information

Other users also viewed: