Configure Palo Alto Networks VPN to Interoperate with Okta via RADIUS

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

Important Note

Important

This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.  
When running PanOS 8.0, 9.0 or newer integrate using SAML. For more information see:

  • For seamless end user experience and enhanced security, integrate your Palo Alto Network VPN to Okta using SAML if you are running PanOS 8.0, 9.0 or newer.

  • Use the Okta RADIUS Server Agent for authentication when running PanOS versions older than 8.0.

This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the Palo Alto Network – <specific_app_name> SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for Palo Alto Network – <specific_app_name>, then click Add.

For SAML, these are the Palo Alto Networks apps we support and their use cases. Be sure to select the appropriate app from the OIN when setting up the app in Okta.

App Use Case
GlobalProtect For Client and Clientless VPN
Captive Portal For captive portal deployments to provide userid to ip mappings through SAML
Admin UI For administrators of Palo Alto devices to access Panorama or the Firewall admin UI
Feature Supported

Notes
Authentication with Okta Credentials via RADIUS Yes

 

Authentication with Okta Credentials via SAML.

No

The RADIUS Integration for Palo Alto VPN does not support SAML.
Multi-factor authentication via RADIUS Yes

 
Multi-factor authentication via SAML Yes

The RADIUS Integration for Palo Alto VPN does not support MFA using SAML.

The following MFA Factors are supported:

 

MFA Factor Password Authentication Protocol
PAP		 Extensible Authentication Protocol - Generic Token Card
EAP-GTC		 Extensible Authentication Protocol - Tunneled Transport Layer Security
EAP-TTLS
Okta Verify (TOTP and PUSH) Supported Supported Supported - as long as challenge is avoided.
For example:
MFA-only or password, MFA for TOTP.
Push can work with primary auth + MFA as the push challenge is sent out-of-band.
Voice Call Supported Supported Not supported
SMS Authentication Supported Supported Not supported
Google Authenticator Supported Supported Supported - as long as challenge is avoided.
For example MFA only or password, MFA.
Symantec VIP Supported Supported Supported
Security Question Supported Supported Not supported
Custom TOTP Authentication Supported Supported Not supported
Duo(Push, SMS and Passcode only) Supported Supported Supported (passcode, Push)
YubiKey Supported Supported Supported

RSA Token

Supported

Supported

Supported

Email

Supported

Supported

Not supported
Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.


Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

Note

Note

The Yubikey factor doesn't appear in the menu as an option.
The end user must enter the Yubikey code into the Response field and click Continue.

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manner; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

Configuring the Palo Alto Networks VPN to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
HTTP		 Configuration and authentication traffic
Palo Alto Network device Okta RADIUS Agent UDP/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

In this step, add the Palo Alto Networks VPN (RADIUS) app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Palo Alto Networks VPN (RADIUS), and then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Palo Alto Networks VPN (RADIUS) app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In Part 3 you define a RADIUS Server Profile, define an Authentication Profile for Okta Palo Alto RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile. Complete these using the Palo Alto Networks RADIUS Server Profile.

Step 1 – Define a RADIUS Server Profile

  1. Sign in to the Palo Alto Networks Admin console with sufficient privileges
  2. Navigate to Device > Server Profile > Radius, and then click Add to define a new RADIUS server. The screen shown below opens.

  3. Enter a profile name that is unique and appropriate, and enter the following server settings, as shown above.

    • Timeout (sec): 60

    • Authentication Protocol: PAP

    • Retries: 1

  4. Click Add in the screen shown above to define a server. Enter the following settings:

    • Name: Unique and appropriate name

    • Radius Server: IP Address of the Server you installed the Okta Palo Alto Radius Agent above.

    • Secret: The Radius Secret you defined in the Okta Radius App above.

    • Port: The UDP Port you defined in the Okta Palo Alto Radius App above.

  5. Click OK to save the settings.

Step 2 – Define an Authentication Profile for Okta Palo Alto RADIUS Agent

  1. Select Device > Authentication Profile and then click Add to define an Authentication Profile.

  2. Click Authentication tab. The screen shown below opens.

  3. Leave the default settings except for the following

    • Type: RADIUS

    • Server Profile: Enter the name of the Server Profile you defined in Step 1, above.

  4. When done, click OK.
  5. In the Authentication Profile screen, click the Advanced tab.
  6. In the screen shown below, select Add to assign an Allow List. Then, select All from the displayed options.

  7. Click OK to save the settings.

  8. Click Commit to save the Okta RADIUS Authentication Profile.

  9. Open the Palo Alto Networks Administrative Shelll and test the Authentication Profile, as described in Test the Authentication Profile, in the Troubleshooting section, below.

Step 3: Apply the Okta RADIUS Authentication Profile to a Gateway

  1. Select Network > GlobalProtect > Gateways and open your configured GlobalProtect Gateway.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configuredabove.
    • Authentication Message: Enter appropriate instructions for end users such as Enter login credentials.

  5. Click OK to save the settings.

Step 4: Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Note: The step applies the same settings that you just applied to you GlobalProtect Gateway to the GlobalProtect Portal.

  1. Select Network > GlobalProtect > Portals and open your configured GlobalProtect Portal.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configuredabove.
    • Authentication Message: Enter appropriate instructions for end users such as Enter login credentials.

  5. Click OK to save the settings.

Step 5: Commit all Settings

Click Commit to save the Okta RADIUS configuration within the Palo Alto Networks Admin Console.

There are two configuration tests for the flows, shown in the following network diagram.

 

  1. Open the GlobalProtect Client and then, enter your Username and Password and click OK.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. When the challenge screen appears, enter the number corresponding to the appropriate second factor and click OK.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  3. Enter the value for the chosen second factor, or accept the out-of-band push notification.

  4. Verify that you are connected to the VPN.

  1. Open a web browser and navigate to your GlobalProtect portal page, then, enter your Username and Password and click LOG IN.

  2. When the challenge screen appears,enter the number corresponding to the appropriate second factor and click LOG IN.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  3. Enter the value for the chosen second factor, or accept the out-of-band push notification.

  4. Verify that you are connected to the VPN. The GlobalProtect page loads to your user credentials

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

The Palo Alto Networks Gateway does not report the Client IP address by default. For Devices running PAN-OS 7 and greater you can configure the device to send this information with the following command from the devices administrative shell.

set authentication radius-vsa-on client-source-ip

The Palo Alto Networks NGFW does not Send the Client IP using the standard Attribute Value Pairs (AVP) like 31 (Calling-Station-Id). Instead, it sends the data using a Vendor Specific Attribute (VSA). To configure Okta to parse, report, and eventually enforce policy based on the source client IP Address, configure the Okta Palo Alto Radius App in the Okta Admin Console.

Enter the following settings in Advanced RADIUS Settings, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 26 Vendor-Specific, 7

Configure Groups Response

The Palo Alto Network Gateway does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes.

To configure the app to send RADIUS Group information in vendor specific attributes:

Note

Note

This is an Early Access feature. To enable it, contact Okta Support.

  1. In Okta, navigate to Applications > Applications.
  2. Open the application by clicking its name.
    Tip

    Tip

    You can narrow the set of applications displayed using the Search field.

  3. Select the sign on tab.
  4. Scroll to the Advanced RADIUS Settings section and click Edit.
  5. In the GROUPS RESPONSE section:
    1. Check include groups in RADIUS response.
    2. In the RADIUS attributes sub section, specify the following:

      Field

      Value

      Comment

      RADIUS attribute

      26-Vendor specific.

      Must be 26-Vendor specific

      vendor specific ID

      Enter one of :
      Cisco - ASA-Group-Policy (3076)

      Citrix-Group-Names (3845)

      Fortinet-Group-Name(12356)

      PaloAlto-User-Group(25461)

      Enter the associated numeric vendor id.
      For example, for Cisco enter 3076.

      Attribute ID

      Cisco - ASA-Group-Policy (25)

      Citrix-Group-Names (16)

      Fortinet-Group-Name(1)

      PaloAlto-User-Group(5)

      Enter the associated numeric attribute id. For example, for Cisco enter 25.


      Important Note

      Important

      Vendor specific ID and Attribute ID are string fields.
      Admins may use any appropriate value for vendors not listed.


      Caution

      Caution

      • The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.

         

      • In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.
  6. Click Save.

In certain situations GlobalProtect will prompt twice for credentials when configured with Okta RADIUS. This second prompt can be avoided by enabling cookies for the Global Protect login. In this situation the the GlobalConnect portal generates a cookie that the RADIUS Gateway accepts within a short time window, typically 60 seconds or less.

Enable cookie generation on GlobalProtect Portal:

  1. Connect to the Global Protect Porta.
  2. Navigate to Network > GlobalProtect > Portals.
  3. Open Portal Profile.
  4. Select the Agent tab and then click Agent Config.
  5. Enable Generate cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie.

Enable Cookie Acceptance in GlobalProtect Gateway

  1. Navigate to Network > GlobalProtect > Gateways
  2. Open the Gateway Profile.
  3. Select the Agent tab.
  4. Click Client Settings and open Client Config.
  5. Select the Authentication Override tab and enable Accept cookie for authentication override.
  6. Set the Cookie Lifetime. For RADIUS this is typically 60-90 seconds.
  7. Select Certificate to Encrypt/Decrypt Cookie.
    Note: This must be the same certificate used in the prior step.

Review the Authentication Logs

  1. Open a web browser and navigate to the GlobalProtect Admin Page, or open the Palo Alto Networks Panorama.
  2. Navigate to Monitor > Authentication.
  3. In the search filter enter: subtype eq Radius.
  4. Open the Palo Alto Networks Administrative Shell and run the following commands:
    • debug authentication on dump
    • tail follow yes lines 20 mp-log authd.log
  5. Click enter to run the test. Review the logs for detailed output. Sample logs are shown below.

Test the Authentication Profile

Open the Palo Alto Networks Administrative Shell and run the following commands:

test authentication authentication-profile <profile name> username <username> password

where <profile name> and <username> are the values for your organization.

Note: The command line test of the Authentication Profile does not support a second- factor challenge. Receiving a second-factor challenge is validation that the configuration is working.