Configure Palo Alto Networks VPN to Interoperate with Okta via RADIUS

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

Important Note

Important

This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.  
When running PanOS 8.0, 9.0 or newer integrate using SAML. For more information see:

  • For seamless end user experience and enhanced security, integrate your Palo Alto Network VPN to Okta using SAML if you are running PanOS 8.0, 9.0 or newer.
  • Use the Okta RADIUS Server Agent for authentication when running PanOS versions older than 8.0.

This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the Palo Alto Network – <specific_app_name> SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for Palo Alto Network – <specific_app_name>, then click Add.

For SAML, these are the Palo Alto Networks apps we support and their use cases. Be sure to select the appropriate app from the OIN when setting up the app in Okta.

App Use Case
GlobalProtect For Client and Clientless VPN
Captive Portal For captive portal deployments to provide userid to ip mappings through SAML
Admin UI For administrators of Palo Alto devices to access Panorama or the Firewall admin UI

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.