Configure optional settings

The Palo Alto Networks Gateway supports several optional settings, including:

Configure Client IP Reporting

The Palo Alto Networks NGFW does not Send the Client IP using the standard Attribute Value Pairs (AVP) such as 31 (Calling-Station-Id). Rather, it sends the data using a Vendor Specific Attribute (VSA).

To configure Okta to parse, report, and enforce policy based on the source client IP Address, configure the Okta Palo Alto Radius App in the Okta Admin Console.

Enter the following settings in Advanced RADIUS Settings, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 26 Vendor-Specific, 7

Open the Palo Alto Networks Administrative Shell and run the following commands:

set authentication radius-vsa-on client-source-ip

Configure Groups Response

The Palo Alto Network Gateway does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes.

The vendors listed in step below are only a subset of the vendors that can possibly take advantage of including groups in RADIUS response. If your vendor can take advantage of groups in the RADIUS response and is not listed:

  1. Determine the unique vendor code or ID. The vendor ID identifies the vendor the content is targeted for and is entered as vendor specific ID. For example, Cisco refers to this value RADIUS Vendor ID, Citrix uses Vendor code.
  2. Determine the vendor specific code associated with group policy. The vendor specific group code identifies to the vendor that this field contains group name values and is entered as Attribute ID.
    For example, for Cisco uses value 25 to indicate Group-Policy.

To configure the app to send RADIUS Group information in vendor specific attributes:

Early Access release

  1. In the Admin Console, go to ApplicationsApplications.
  2. Open the application by clicking its name.

    You can narrow the set of applications displayed using the Search field.

  3. Select the Sign on tab.
  4. Scroll to the Advanced RADIUS Settings section and click Edit.
  5. In the GROUPS RESPONSE section:
    1. Check include groups in RADIUS response.
    2. In the RADIUS attributes sub section, specify the following:

      Field

      Value

      Comment

      RADIUS attribute

      26-Vendor specific

      Must be 26-Vendor specific.

      Vendor specific ID

      Enter one of :
      Cisco - ASA-Group-Policy (3076)

      Citrix-Group-Names (3845)

      Fortinet-Group-Name(12356)

      PaloAlto-User-Group(25461)

      Enter the associated numeric vendor id.
      For example, for Cisco enter 3076.

      Unlisted - The unique vendor code or ID. For example Cisco refers to this value RADIUS Vendor ID, Citrix uses Vendor code.






      Attribute ID

      Cisco - ASA-Group-Policy (25)

      Citrix-Group-Names (16)

      Fortinet-Group-Name(1)

      PaloAlto-User-Group(5)

      Enter the associated numeric attribute id. For example, for Cisco enter 25.

      Unlisted - The unique vendor specific code associated with group policy. For example, for Cisco uses value 25 to indicate Group-Policy.


      Vendor specific ID and Attribute ID are string fields.


      • The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.
      • In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.
  6. Click Save.

Repeat prompting for credentials and enabling cookies

In certain situations GlobalProtect will prompt twice for credentials when configured with Okta RADIUS. This second prompt can be avoided by enabling cookies for the Global Protect login. In this situation the the GlobalConnect portal generates a cookie that the RADIUS Gateway accepts within a short time window, typically 60 seconds or less.

Enable cookie generation on GlobalProtect Portal:

  1. Connect to the Global Protect Porta.
  2. Navigate to NetworkGlobalProtectPortals.
  3. Open Portal Profile.
  4. Select the Agent tab and then click Agent Config.
  5. Enable Generate cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie.

Enable Cookie Acceptance in GlobalProtect Gateway

  1. Navigate to NetworkGlobalProtectGateways
  2. Open the Gateway Profile.
  3. Select the Agent tab.
  4. Click Client Settings and open Client Config.
  5. Select the Authentication Override tab and enable Accept cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie. Note: This must be the same certificate used in the prior step.