Configure optional settings
The Palo Alto Networks Gateway supports several optional settings.
Configure Client IP Reporting
The Palo Alto Networks next-generation firewall (NGFW) doesn't send the client IP using the standard attribute value pairs (AVP), such as 31 (Calling-Station-Id). It sends the data using a vendor-specific attribute (VSA) instead.
Follow these steps to configure Okta to parse, report, and enforce policy based on the source client IP address:
-
In the Admin Console, go to .
- In the list of applications, find Okta Palo Alto Radius App.
- In the Advanced RADIUS Settings section, select Report Client IP.
- For RADIUS End User IP Attributes, select 26 Vendor-Specific, and then enter 7.
- Click Save.
- Open the Palo Alto Networks administrative shell and run this command:
set authentication radius-vsa-on client-source-ip
Configure Groups Response options
The Palo Alto Network Gateway doesn't receive groups using the standard AVP of 11 (Filter-Id) and 25 (Class). It uses a VSA instead.
To configure the app to send RADIUS group information in vendor-specific attributes, complete the following steps:
- In the Admin Console, go to .
- Find the application using the Search field and then click its name in the search results.
- Select the Sign on tab.
- Scroll to the Advanced RADIUS Settings section and then click Edit.
- In the Groups Response section, complete the following options:
- Select Include groups in RADIUS response.
- In the RADIUS attribute subsection, select 26-Vendor specific.
- In the Vendor Specific ID field, enter the numeric vendor ID code for your product:
- Cisco ASA-Group-Policy: 3076
- Citrix Group-Names: 3845
- Fortinet Group-Name: 12356
- Palo Alto User-Group: 25461
If your vendor-specific ID doesn't appear here, search for it in the documentation for your product.
- In the Attribute ID field, enter the numeric attribute ID for your product:
- Cisco ASA-Group-Policy: 25
- Citrix Group-Names: 16
- Fortinet Group-Name: 1
- Palo Alto User-Group: 5
If your attribute ID doesn't appear here, search for the group policy attribute in the documentation for your product.
- Click Save.
The maximum length of the group membership value is 247 bytes. If the group name length exceeds this limit, it's truncated and partial values are returned. Configure the response as a set of repeated attributes instead of using a single delimited list.
Avoid double credential prompts in GlobalProtect
In certain situations GlobalProtect prompts twice for credentials when configured with Okta RADIUS. You can avoid this by enabling cookies for the GlobalProtect sign-in process. The GlobalProtect portal generates a cookie after a user signs in. The RADIUS Gateway accepts this cookie within a short time window, typically 60 seconds or less.
Enable cookie generation on GlobalProtect Portal
- Connect to the GlobalProtect Portal.
- Go to .
- Click Portal Profile.
- Select the Agent tab and then click Agent Config.
- Enable Generate cookie for authentication override.
- In Cookie Lifetime, enter the lifetime in seconds. For RADIUS, this is typically 60-90 seconds.
- In Encrypt/Decrypt Cookie, select a certificate.
Enable cookie acceptance in GlobalProtect Gateway
- Go to .
- Open the Gateway Profile.
- Select the Agent tab.
- Click Client Settings, and then click Client Config.
- Select the Authentication Override tab and enable Accept cookie for authentication override.
- In Cookie Lifetime, enter the lifetime in seconds. For RADIUS this is typically 60-90 seconds.
- In Encrypt/Decrypt Cookie, select a certificate. Select the same certificate that you selected in Enable cookie generation on GlobalProtect Portal.