Configure Palo Alto Networks VPN to Interoperate with Okta via RADIUS

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers. Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

  • For seamless end user experience and enhanced security, integrate your Palo Alto Network VPN to Okta using SAML if you are running PanOS 8.0, 9.0 or newer.

  • Use the Okta RADIUS Server Agent for authentication when running PanOS versions older than 8.0.

This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the Palo Alto Network – <specific_app_name> SAML app in Okta by navigating to the Applications tab, select Applications > Add Application, search for Palo Alto Network – <specific_app_name>, then click Add.

For SAML, these are the Palo Alto Networks apps we support and their use cases. Be sure to select the appropriate app from the OIN when setting up the app in Okta.

App Use Case
GlobalProtect For Client and Clientless VPN
Captive Portal For captive portal deployments to provide userid to ip mappings through SAML
Admin UI For administrators of Palo Alto devices to access Panorama or the Firewall admin UI
Feature Supported

Notes
Authentication with Okta Credentials via RADIUS Yes

 
Authentication with Okta Credentials via SAML No

Palo Alto VPN does not support SAML.
Multi-factor authentication via RADIUS Yes

 

Multi-factor authentication via SAML

No

Palo Alto VPN does not support SAML.

Multi-factor authentication via RADIUS

No

 

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

There are five parts to the configuration, including optional settings. Troubleshooting help and a list of additional resources are also provided.

Configuring the Palo Alto Networks VPN to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
Palo Alto Network device Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

In this step, add the Palo Alto Networks VPN (RADIUS) app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Palo Alto Networks VPN (RADIUS), and then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Palo Alto Networks VPN (RADIUS) app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In Part 3 you define a RADIUS Server Profile, define an Authentication Profile for Okta Palo Alto RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile. Complete these using the Palo Alto Networks RADIUS Server Profile.

Step 1 – Define a RADIUS Server Profile

  1. Sign in to the Palo Alto Networks Admin console with sufficient privileges
  2. Navigate to Device > Server Profile > Radius, and then click Add to define a new RADIUS server. The screen shown below opens.

  3. Enter a profile name that is unique and appropriate, and enter the following server settings, as shown above.

    • Timeout (sec): 60

    • Authentication Protocol: PAP

    • Retries: 1

  4. Click Add in the screen shown above to define a server. Enter the following settings:

    • Name: Unique and appropriate name

    • Radius Server: IP Address of the Server you installed the Okta Palo Alto Radius Agent above.

    • Secret: The Radius Secret you defined in the Okta Radius App above.

    • Port: The UDP Port you defined in the Okta Palo Alto Radius App above.

  5. Click OK to save the settings.

Step 2 – Define an Authentication Profile for Okta Palo Alto RADIUS Agent

  1. Select Device > Authentication Profile and then click Add to define an Authentication Profile.

  2. Click Authentication tab. The screen shown below opens.

  3. Leave the default settings except for the following

    • Type: RADIUS

    • Server Profile: Enter the name of the Server Profile you defined in Step 1, above.

  4. When done, click OK.
  5. In the Authentication Profile screen, click the Advanced tab.
  6. In the screen shown below, select Add to assign an Allow List. Then, select All from the displayed options.

  7. Click OK to save the settings.

  8. Click Commit to save the Okta RADIUS Authentication Profile.

  9. Open the Palo Alto Networks Administrative Shelll and test the Authentication Profile, as described in Test the Authentication Profile, in the Troubleshooting section, below.

Step 3: Apply the Okta RADIUS Authentication Profile to a Gateway

  1. Select Network > GlobalProtect > Gateways and open your configured GlobalProtect Gateway.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configuredabove.
    • Authentication Message: Enter appropriate instructions for end users such as Enter login credentials.

  5. Click OK to save the settings.

Step 4: Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Note: The step applies the same settings that you just applied to you GlobalProtect Gateway to the GlobalProtect Portal.

  1. Select Network > GlobalProtect > Portals and open your configured GlobalProtect Portal.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configuredabove.
    • Authentication Message: Enter appropriate instructions for end users such as Enter login credentials.

  5. Click OK to save the settings.

Step 5: Commit all Settings

Click Commit to save the Okta RADIUS configuration within the Palo Alto Networks Admin Console.

There are two configuration tests for the flows, shown in the following network diagram.

 

  1. Open the GlobalProtect Client and then, enter your Username and Password and click OK.

    Note: The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. When the challenge screen appears, enter the number corresponding to the appropriate second factor and click OK.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  3. Enter the value for the chosen second factor, or accept the out-of-band push notification.

  4. Verify that you are connected to the VPN.

  1. Open a web browser and navigate to your GlobalProtect portal page, then, enter your Username and Password and click LOG IN.

  2. When the challenge screen appears,enter the number corresponding to the appropriate second factor and click LOG IN.

    Note: Users are challenged for a second factor to use based on the devices they have enrolled.

  3. Enter the value for the chosen second factor, or accept the out-of-band push notification.

  4. Verify that you are connected to the VPN. The GlobalProtect page loads to your user credentials

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

The Palo Alto Networks Gateway does not report the Client IP address by default. For Devices running PAN-OS 7 and greater you can configure the device to send this information with the following command from the devices administrative shell.

set authentication radius-vsa-on client-source-ip

The Palo Alto Networks NGFW does not Send the Client IP using the standard Attribute Value Pairs (AVP) like 31 (Calling-Station-Id). Instead, it sends the data using a Vendor Specific Attribute (VSA). To configure Okta to parse, report, and eventually enforce policy based on the source client IP Address, configure the Okta Palo Alto Radius App in the Okta Admin Console.

Enter the following settings in Advanced RADIUS Settings, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 26 Vendor-Specific, 7

Configure Groups Response

The Palo Alto Network Gateway does not receive groups using the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Instead it relies on Vendor Specific Attributes that Okta does not support.

For additional information on leveraging functionality from Vendor Specific Attributes that are not supported natively in Okta, please contact your Okta Customer Support Manager or Account Representative.

Review the Authentication Logs

  1. Open a web browser and navigate to the GlobalProtect Admin Page, or open the Palo Alto Networks Panorama.
  2. Navigate to Monitor > Authentication.
  3. In the search filter enter: subtype eq Radius.
  4. Open the Palo Alto Networks Administrative Shell and run the following commands:
    • debug authentication on dump
    • tail follow yes lines 20 mp-log authd.log
  5. Click enter to run the test. Review the logs for detailed output. Sample logs are shown below.

Test the Authentication Profile

Open the Palo Alto Networks Administrative Shell and run the following commands:

test authentication authentication-profile <profile name> username <username> password

where <profile name> and <username> are the values for your organization.

Note: The command line test of the Authentication Profile does not support a second- factor challenge. Receiving a second-factor challenge is validation that the configuration is working.