Captive Portal Authentication using DUO
26300
Created On 08/14/20 21:25 PM - Last Modified 10/07/20 22:04 PM
Objective
This document is designed to help firewall administrators to configure captive Authentication along with Two Factor authentication using DUO authentication.
Environment
- PAN OS V8.1+
- DUO MFA.
Procedure
- Configure Multi Factor Authentication Server Profile under Device > Server Profiles, this profile defines how firewalls will connect and communicate with MFA providers. In our case we use DUO, so it requires us to get the API Host, Integration Key, and Secret key from DUO protected Application.
Note: More detail about Cisco DUO application protection use this link.
Note: The certificate that is required in Multi-Factor Profile is the CA root certificate that firewall uses to validate the MFA server certificate when setting up a secure connection to the server, this certificates are existed in the MFA vendor website and Root CA Vendor website as below:
- Download the certificate(s) and import it in the firewall certificate tab as below:
- Create a certificate profile and add the CA root Certificate(s) as needed, then use this profile in the Multi-Factor Authentication Server profile.
-
Create an Authentication Profile that will be used to authenticate captive portal users, in this profile we will add two authentication steps, the first authentication will be usual authentication using either Local, RADIUS, LDAP or any other type of authentication, in this example we used local authentication.
Then we need to link the Multi Authentication server profile under Factors tab that will enforce this authentication to be used as second authentication.
- Create Authentication Enforcement object which specifies the method and service to be used for authenticating end users who access your network resources
- Under Authentication Policy create a rule that match the traffic to invoke the authentication method and service and apply the authentication enforcement as below:
- Generate a traffic that matches the rule in the authentication Policy, the firewall then redirect the use to the captive portal web page, the user needs to enter his credentials for the first authentication as below:
- Generate traffic that matches the rule in the authentication
- Then the firewall will request the MFA vendor to authenticate the user using the configured procedure like OTP or Automatic Push on the DUO Mobile App.
- Once the user passes the second authentication then the user will be allowed to access the intended resource.
- To Monitor the authentication results, you can go to Monitor > Authentication to check the first and second authentication trial results, the subtype tab will define the authentication type used.
Additional Information
Additional Information:
Palo Alto administration guide:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-policy/configure-authentication-policy.html#id0ff4d899-df86-4f6f-905e-e7b86c938203
DUO and Palo Alto configuration:
https://duo.com/docs/paloalto