Configure Palo Alto Networks VPN
Configure Palo Alto Networks VPN to use the Okta RADIUS Server agent.
Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers.
Each authentication profile maps to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta's agent translates RADIUS authentication requests from the VPN into Okta API calls.
This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.
When running PanOS 8.0, 9.0 or later, use SAML for your integration:
Before you begin
Meet the following network connectivity requirements before you install the Okta RADIUS agent:
Source | Destination | Port/Protocol | Description |
---|---|---|---|
Okta RADIUS Agent | Okta Identity Cloud | TCP/443 HTTP |
Configuration and authentication traffic. |
Client Gateway | Okta RADIUS Agent | UDP/1812 RADIUS (Default, you can change this when you install and configure the RADIUS app) | RADIUS traffic between the gateway (client) and the RADIUS agent (server). |
See Palo Alto Networks VPN supported features and factors for a complete list of supported version, factor and related information.
Limitations
Enroll only a single Okta Verify device. Adding more Okta Verify devices can cause undefined or unexpected behavior.
If you've migrated a RADIUS-configured org from Classic Engine and you configure the Okta Verify authenticator with the number challenge, the challenge may be presented to RADIUS users even though it's not supported. To prevent this, enable the Early Access feature Disable number matching challenge for RADIUS. See Enable self-service features.
Typical workflow
Task |
Description |
---|---|
Download the RADIUS agent | In the Admin Console, go to . Download the appropriate Okta RADIUS Agent for your environment. For throughput, availability, and other considerations, see Okta RADIUS Server Agent Deployment Best Practices. |
Install the Okta agent. | Install Okta RADIUS server agent on Windows |
Configure application | Configure the Palo Alto Networks VPN (RADIUS) application. |
Configure gateway | Use the GlobalProtect Portal tool to configure the Palo Alto Networks VPN. |
Configure optional settings | Configure optional settings. |
Test | Test the integration. |
Troubleshoot | Optional. Troubleshoot the Palo Alto Network VPN integration |