Configure optional settings

The Palo Alto Networks Gateway supports several optional settings, including:

Configure Client IP Reporting

The Palo Alto Networks NGFW does not Send the Client IP using the standard Attribute Value Pairs (AVP) such as 31 (Calling-Station-Id). Rather, it sends the data using a Vendor Specific Attribute (VSA).

 

To configure Okta to parse, report, and enforce policy based on the source client IP Address, configure the Okta Palo Alto Radius App in the Okta Admin Console.

Enter the following settings in Advanced RADIUS Settings, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 26 Vendor-Specific, 7

Open the Palo Alto Networks Administrative Shell and run the following commands:

set authentication radius-vsa-on client-source-ip

Configure Groups Response

The Palo Alto Network Gateway does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes.

To configure the app to send RADIUS Group information in vendor specific attributes:

Note

Note

This is an Early Access feature. To enable it, contact Okta Support.

  1. In Okta, navigate to Applications > Applications.
  2. Open the application by clicking its name.
    Tip

    Tip

    You can narrow the set of applications displayed using the Search field.

  3. Select the sign on tab.
  4. Scroll to the Advanced RADIUS Settings section and click Edit.
  5. In the GROUPS RESPONSE section:
    1. Check include groups in RADIUS response.
    2. In the RADIUS attributes sub section, specify the following:

      Field

      Value

      Comment

      RADIUS attribute

      26-Vendor specific.

      Must be 26-Vendor specific

      vendor specific ID

      Enter one of :
      Cisco - ASA-Group-Policy (3076)

      Citrix-Group-Names (3845)

      Fortinet-Group-Name(12356)

      PaloAlto-User-Group(25461)

      Enter the associated numeric vendor id.
      For example, for Cisco enter 3076.

      Attribute ID

      Cisco - ASA-Group-Policy (25)

      Citrix-Group-Names (16)

      Fortinet-Group-Name(1)

      PaloAlto-User-Group(5)

      Enter the associated numeric attribute id. For example, for Cisco enter 25.


      Important Note

      Important

      Vendor specific ID and Attribute ID are string fields.
      Admins may use any appropriate value for vendors not listed.


      Caution

      Caution

      • The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.

         

      • In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.
  6. Click Save.

Repeat prompting for credentials and enabling cookies

In certain situations GlobalProtect will prompt twice for credentials when configured with Okta RADIUS. This second prompt can be avoided by enabling cookies for the Global Protect login. In this situation the the GlobalConnect portal generates a cookie that the RADIUS Gateway accepts within a short time window, typically 60 seconds or less.

Enable cookie generation on GlobalProtect Portal:

  1. Connect to the Global Protect Porta.
  2. Navigate to Network > GlobalProtect > Portals.
  3. Open Portal Profile.
  4. Select the Agent tab and then click Agent Config.
  5. Enable Generate cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie.

Enable Cookie Acceptance in GlobalProtect Gateway

  1. Navigate to Network > GlobalProtect > Gateways
  2. Open the Gateway Profile.
  3. Select the Agent tab.
  4. Click Client Settings and open Client Config.
  5. Select the Authentication Override tab and enable Accept cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie.
    Note: This must be the same certificate used in the prior step.