Configure Palo Alto Networks VPN to Interoperate with Okta via RADIUS

Okta and Palo Alto Networks interoperate through either RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., etc. Using RADIUS, Okta’s agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. translates RADIUS authentication requests from the VPN into Okta API calls.

For seamless end user experience and enhanced security, integrate your Palo Alto Network VPN to Okta using SAML if you are running PanOS 8.0, 9.0 or newer.
Use the Okta RADIUS Server Agent for authentication when running PanOS versions older than 8.0.

This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the Palo Alto Network – <specific_appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in._name> SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for Palo Alto Network – <specific_app_name>, then click Add.

For SAML, these are the Palo Alto Networks apps we support and their use cases. Be sure to select the appropriate app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. when setting up the app in Okta.

App	Use Case
GlobalProtect	For ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. and Clientless VPN
Captive Portal	For captive portal deployments to provide userid to ip mappings through SAML
AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI	For administrators of Palo Alto devices to access Panorama or the Firewall admin UI

Supported Features

Feature	Supported	Notes
AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. with Okta Credentials via RADIUS	Yes
Authentication with Okta Credentials via SAML	No	Palo Alto VPN does not support SAML.
Multi-factor authentication via RADIUS	Yes
Multi-factor authentication via SAML	No	Palo Alto VPN does not support SAML.
Multi-factor authentication via RADIUS	No

Best Practice – When to interoperate with SAML vs. RADIUS

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.
SAML integrations provide more security as credentials are exposed to fewer parties.
SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.
Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.

Configuring the Palo Alto Networks VPN to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source	Destination	Port/Protocol	Description
Okta RADIUS Agent	Okta Identity Cloud	tcp/443 http	Configuration and authentication traffic
Palo Alto Network device	Okta RADIUS Agent	udp/1812 RADIUS (actual port number defined in next step)	RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the Palo Alto Networks VPN (RADIUS) app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

Authentication configuration
UDP Port
Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.
Application Username Format

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

In Okta, navigate to Applications > Applications> Add Application, search for Palo Alto Networks VPN (RADIUS), and then click Add Application:
Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
- UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
- Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Palo Alto Networks VPN (RADIUS) app.
- Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Part 3 – Configure Palo Alto Networks VPN to use the Okta RADIUS App

In Part 3 you define a RADIUS Server Profile, define an Authentication Profile for Okta Palo Alto RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile. Complete these using the Palo Alto Networks RADIUS Server Profile.

Step 1 – Define a RADIUS Server Profile

Sign in to the Palo Alto Networks Admin console with sufficient privileges
Navigate to Device > Server Profile > Radius, and then click Add to define a new RADIUS server. The screen shown below opens.
Enter a profile name that is unique and appropriate, and enter the following server settings, as shown above.
- Timeout (sec): 60
- Authentication Protocol: PAP
- Retries: 1
Click Add in the screen shown above to define a server. Enter the following settings:
- Name: Unique and appropriate name
- Radius Server: IP Address of the Server you installed the Okta Palo Alto Radius Agent above.
- Secret: The Radius Secret you defined in the Okta Radius App above.
- Port: The UDP Port you defined in the Okta Palo Alto Radius App above.
Click OK to save the settings.

Step 2 – Define an Authentication Profile for Okta Palo Alto RADIUS Agent

Select Device > Authentication Profile and then click Add to define an Authentication Profile.
Click Authentication tab. The screen shown below opens.
Leave the default settings except for the following
- Type: RADIUS
- Server Profile: Enter the name of the Server Profile you defined in Step 1, above.
When done, click OK.
In the Authentication Profile screen, click the Advanced tab.
In the screen shown below, select Add to assign an Allow List. Then, select All from the displayed options.
Click OK to save the settings.
Click Commit to save the Okta RADIUS Authentication Profile.
Open the Palo Alto Networks Administrative Shelll and test the Authentication Profile, as described in Test the Authentication Profile, in the Troubleshooting section, below.

Step 3: Apply the Okta RADIUS Authentication Profile to a Gateway

Select Network > GlobalProtect > Gateways and open your configured GlobalProtect Gateway.
Select the Authentication tab to define Client Authentication Settings.
Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
Leave the default settings except for the following:
- Name: Unique and appropriate name
- OS: Any
- Authentication Profile: Enter the Authentication Profile you configuredabove.
- Authentication Message: Enter appropriate instructions for end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. such as Enter login credentials.
Click OK to save the settings.

Step 4: Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Note: The step applies the same settings that you just applied to you GlobalProtect Gateway to the GlobalProtect Portal.

Select Network > GlobalProtect > Portals and open your configured GlobalProtect Portal.
Select the Authentication tab to define Client Authentication Settings.
Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
Leave the default settings except for the following:
- Name: Unique and appropriate name
- OS: Any
- Authentication Profile: Enter the Authentication Profile you configuredabove.
- Authentication Message: Enter appropriate instructions for end users such as Enter login credentials.
Click OK to save the settings.

Step 5: Commit all Settings

Click Commit to save the Okta RADIUS configuration within the Palo Alto Networks Admin Console.

Part 4 – Test your Configuration

There are two configuration tests for the flows, shown in the following network diagram.

Test 1 – Test Against the Gateway with the GlobalProtect Client

Open the GlobalProtect Client and then, enter your Username and Password and click OK.

Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.
When the challenge screen appears, enter the number corresponding to the appropriate second factor and click OK.

Note: Users are challenged for a second factor to use based on the devices they have enrolled.
Enter the value for the chosen second factor, or accept the out-of-band push notification.
Verify that you are connected to the VPN.

Part 5 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

The Palo Alto Networks Gateway does not report the Client IP address by default. For Devices running PAN-OS 7 and greater you can configure the device to send this information with the following command from the devices administrative shell.

set authentication radius-vsa-on client-source-ip

The Palo Alto Networks NGFW does not Send the Client IP using the standard Attribute Value Pairs (AVP) like 31 (Calling-Station-Id). Instead, it sends the data using a Vendor Specific Attribute (VSA). To configure Okta to parse, report, and eventually enforce policy based on the source client IP Address, configure the Okta Palo Alto Radius App in the Okta Admin Console.

Enter the following settings in Advanced RADIUS Settings, as shown below.

Client IP: Check Report client IP.
RADIUS End User IP Attributes: 26 Vendor-Specific, 7

Configure Groups Response

The Palo Alto Network Gateway does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes that Okta does not support.

For additional information on leveraging functionality from Vendor Specific Attributes that are not supported natively in Okta, please contact your Okta Customer Support Manager or Account Representative.

Top