Palo Alto Networks supported features and factors

Palo Alto Networks supports the following versions, clients, features and factors.

Supported features

The following Okta features are supported:

Feature Supported

Notes

Authentication with Okta Credentials via RADIUS Yes

 

Authentication with Okta Credentials via SAML.

No

The RADIUS Integration for Palo Alto VPN does not support SAML.

Multi-factor authentication via RADIUS Yes

 

Multi-factor authentication via SAML Yes

The RADIUS Integration for Palo Alto VPN does not support MFA using SAML.

Supported factors

The following MFA Factors are supported:

Important Note

When integrating with Okta RADIUS, the maximum supported number of enrolled factors is dependent on the size of resulting challenge message. Okta recommends that no more than eight ( 8 ) be enrolled at one time.

MFA Factor Password Authentication Protocol
PAP
Extensible Authentication Protocol - Generic Token Card
EAP-GTC
Extensible Authentication Protocol - Tunneled Transport Layer Security
EAP-TTLS
Custom TOTP Authentication Supported Supported Supported
Duo(Push, SMS and Passcode only) Supported Not supported Not supported

Email

Supported

Supported

Not supported

Google Authenticator Supported Supported Supported - as long as challenge is avoided.
For example MFA only or password, MFA.

Okta Verify (TOTP and PUSH)

Supported Supported Supported - as long as challenge is avoided.
For example:
MFA-only or password, MFA for TOTP.
Push can work with primary auth + MFA as the push challenge is sent out-of-band.

RSA Token

Supported

Supported

Supported

Security Question

Supported Supported Not supported
SMS authentication Supported Supported Not supported
Symantec VIP Supported Supported Supported

Voice Call

Supported Supported Not supported

YubiKey

Supported Supported Supported
Caution

EAP-TTLS does not support enrollment
Authentication will fail unexpectedly when EAP-TTLS is enabled, either Okta Verify or Phone are specified as required enrollment policy, and the user is not enrolled in that factor.

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the RADIUS apps refer to Configuring RADIUS applications in Okta.