Configure Palo Alto Networks VPN

Configure Palo Alto Networks VPN to use the Okta RADIUS Server agent.

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers.

Each authentication profile maps to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta's agent translates RADIUS authentication requests from the VPN into Okta API calls.

This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.

When running PanOS 8.0, 9.0 or later, use SAML for your integration:

Before you begin

Meet the following network connectivity requirements before you install the Okta RADIUS agent:

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443

HTTP

Configuration and authentication traffic.
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, you can change this when you install and configure the RADIUS app) RADIUS traffic between the gateway (client) and the RADIUS agent (server).

See Palo Alto Networks VPN supported features and factors for a complete list of supported version, factor and related information.

Limitations

Enroll only a single Okta Verify device. Adding more Okta Verify devices can cause undefined or unexpected behavior.

If you've migrated a RADIUS-configured org from Classic Engine and you configure the Okta Verify authenticator with the number challenge, the challenge may be presented to RADIUS users even though it's not supported. To prevent this, enable the Early Access feature Disable number matching challenge for RADIUS. See Enable self-service features.

Typical workflow

Task

Description

Download the RADIUS agent In the Admin Console, go to SettingsDownloads. Download the appropriate Okta RADIUS Agent for your environment.

For throughput, availability, and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

Install the Okta agent. Install Okta RADIUS server agent on Windows

Install Okta RADIUS server agent on Linux

Configure application Configure the Palo Alto Networks VPN (RADIUS) application.
Configure gateway Use the GlobalProtect Portal tool to configure the Palo Alto Networks VPN.
Configure optional settings Configure optional settings.
Test Test the integration.
Troubleshoot Optional. Troubleshoot the Palo Alto Network VPN integration

Related topics