Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Captive Portal Authentication using DUO - Knowledge Base - Palo Alto Networks

Captive Portal Authentication using DUO

26300
Created On 08/14/20 21:25 PM - Last Modified 10/07/20 22:04 PM


Objective


This document is designed to help firewall administrators to configure captive Authentication along with Two Factor authentication using DUO authentication.



Environment


  • PAN OS V8.1+
  • DUO MFA.


Procedure


  1. Configure Multi Factor Authentication Server Profile under Device > Server Profiles, this profile defines how firewalls will connect and communicate with MFA providers. In our case we use DUO, so it requires us to get the API Host, Integration Key, and Secret key from DUO protected Application.
Note: More detail about Cisco DUO application protection use this link
This image shows Multi Factor Authentication Server Profile
this image shows DUO Portal Page
 
Note: The certificate that is required in Multi-Factor Profile is the CA root certificate that firewall uses to validate the MFA server certificate when setting up a secure connection to the server, this certificates are existed in the MFA vendor website and Root CA Vendor website as below:
This image shows Root CA Certificate
  1. Download the certificate(s) and import it in the firewall certificate tab as below:
             This image shows Certificate profile creation in PAN OS
  1. Create a certificate profile and add the CA root Certificate(s) as needed, then use this profile in the Multi-Factor Authentication Server profile.
            This image shows Certificate profile creation in PAN OS
  1. Create an Authentication Profile that will be used to authenticate captive portal users, in this profile we will add two authentication steps, the first authentication will be usual authentication using either Local, RADIUS, LDAP or any other type of authentication, in this example we used local authentication.

              This image shows Authentication Profile creation in PAN OS
              This image shows Authentication Profile creation in PAN OS

              Then we need to link the Multi Authentication server profile under Factors tab that will enforce this authentication to be used as second authentication.

             This image shows Authentication Profile creation in PAN OS
             This image shows Authentication Profile creation in PAN OS

  1. Create Authentication Enforcement object which specifies the method and service to be used for authenticating end users who access your network resources

            this image shows Authentication Enforcement configuration
            this image shows Authentication Enforcement configuration

  1. Under Authentication Policy create a rule that match the traffic to invoke the authentication method and service and apply the authentication enforcement as below:

            this image shows authentication Policy configuration
            this image shows authentication Policy configuration

  1. Generate a traffic that matches the rule in the authentication Policy, the firewall then redirect the use to the captive portal web page, the user needs to enter his credentials for the first authentication as below:
    1. Generate traffic that matches the rule in the authentication

                      this image shows Login test with first authentication

  1. Then the firewall will request the MFA vendor to authenticate the user using the configured procedure like OTP or Automatic Push on the DUO Mobile App. 

                       this image shows second authentication during login
                        this image shows DUO mobile push on message

  1. Once the user passes the second authentication then the user will be allowed to access the intended resource.

                     this image shows User is able to access his required resources

  1. To Monitor the authentication results, you can go to Monitor > Authentication to check the first and second authentication trial results, the subtype tab will define the authentication type used.

            this image show Monitor Authentication



Additional Information



Additional Information:

Palo Alto administration guide:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-policy/configure-authentication-policy.html#id0ff4d899-df86-4f6f-905e-e7b86c938203

DUO and Palo Alto configuration:
https://duo.com/docs/paloalto 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HANzCAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language