Configure Palo Alto Networks VPN to use the Okta RADIUS

To configure the Palo Alto VP to use RADIUS, follow these procedures using the Palo Alto Networks RADIUS Server Profile:

  1. Define a RADIUS Server Profile
  2. Define an Authentication Profile for Okta Palo Alto RADIUS Agent
  3. Apply the Okta RADIUS Authentication Profile to a Gateway
  4. Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Define a RADIUS Server Profile

  1. Sign in to the Palo Alto Networks Admin Console with sufficient privileges
  2. Go to DeviceServer ProfileRadius, and then click Add to define a new RADIUS server.

  3. Enter a unique profile name, and enter the following server settings:

    • Timeout (sec): 60

    • Authentication Protocol: PAP

    • Retries: 1

  4. Click Add to define a server. Enter the following settings:

    • Name: Unique and appropriate name

    • Radius Server: IP Address of the server where you installed the Okta Palo Alto RADIUS Agent.

    • Secret: The RADIUS Secret you defined in the Okta RADIUS App.

    • Port: The UDP Port you defined in the Okta Palo Alto RADIUS App.

  5. Click OK.

Define an Authentication Profile for Okta Palo Alto RADIUS Agent

  1. Select DeviceAuthentication Profile and then click Add to define an Authentication Profile.

  2. Select the Authentication tab.

  3. Use the default settings except for the following:
    • Type: RADIUS
    • Server Profile: Enter the name of the Server Profile that you defined previously.
  4. Click OK.
  5. On the Authentication Profile page, select the Advanced tab.
  6. Click Add to assign an Allow List. Select All from the available options.
  7. Click OK to save the settings.

  8. Click Commit to save the Okta RADIUS Authentication Profile.

  9. Open the Palo Alto Networks Administrative Shell and Test the Authentication Profile.

Apply the Okta RADIUS Authentication Profile to a Gateway

  1. Select NetworkGlobalProtectGateways and open your configured GlobalProtect Gateway.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile that you configured earlier.
    • Authentication Message: Enter appropriate instructions for end users such as "Enter sign-in credentials".

  5. Click OK to save the settings.

Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Note: The step applies the same settings that you applied to your GlobalProtect Gateway to the GlobalProtect Portal.

  1. Select NetworkGlobalProtectPortals and open your configured GlobalProtect Portal.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile that you configured earlier.
    • Authentication Message: Enter appropriate instructions for end users such as Enter sign-in credentials.

  5. Click OK to save the settings.

Click Commit to save the Okta RADIUS configuration within the Palo Alto Networks Admin Console.