Two-Factor Authentication for Palo Alto GlobalProtect - RADIUS - Rublon

June 21, 2022 By Rublon Authors

Last updated on December 17, 2025

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Palo Alto GlobalProtect VPN. To achieve that using RADIUS (e.g., FreeRADIUS), you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Palo Alto GlobalProtect VPN to add Two-Factor Authentication to your VPN logins.

Demo Video

YouTube player

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
FIDO	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP	✔	N/A
RFID	–	N/A

Before You Start

Before configuring Rublon MFA for Palo Alto GlobalProtect:

Ensure you have prepared all required components.
Create an application in the Rublon Admin Console.
Install the Rublon Authenticator mobile app.

Required Components

1. User Identity Provider (IdP) – You need an external Identity Provider, such as FreeRADIUS or Microsoft NPS.

2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already, and configure the Rublon Authentication Proxy as an RADIUS proxy.

3. Palo Alto GlobalProtect – A properly installed and configured Palo Alto GlobalProtect along with the GlobalProtect App.

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application.

3. Enter a name for your application (e.g., Palo Alto GlobalProtect) and then set the type to Rublon Authentication Proxy.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy the values of System Token and Secret Key of the newly created application. You will need them later.

Install Rublon Authenticator

Some end-users may use the Rublon Authenticator mobile app. So, as a person configuring MFA for Palo Alto GlobalProtect, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Palo Alto GlobalProtect via Mobile Push.

Download the Rublon Authenticator for:

Configuration

Follow these steps to enable Rublon 2FA for Palo Alto GlobalProtect VPN.

Rublon Authentication Proxy

1. Edit the Rublon Auth Proxy configuration file and paste the previously copied values of System Token and Secret Key in system_token and secret_key, respectively.

2. Config example file in YAML:

global:
  secret_source: plain  # Options: plain, env, vault

log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token: YOURSYSTEMTOKEN
  secret_key: YOURSECRETKEY

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: YOURRADIUSSECRET
    ip: 0.0.0.0
    port: 1812
    mode: standard
    auth_source: LDAP_SOURCE_1
    auth_method: push,email
    cert_path: /etc/ssl/certs/ca.crt
    pkey_path: /etc/ssl/certs/key.pem
    force_message_authenticator: false

auth_sources:
- name: LDAP_SOURCE_1
  type: LDAP
  ip: 172.16.0.127
  port: 636
  transport_type: ssl
  search_dn: dc=example,dc=org
  access_user_dn: cn=admin,dc=example,dc=org
  access_user_password: CHANGE_ME
  ca_certs_dir_path: /etc/ssl/certs/

See: How to set up LDAPS certificates in the Rublon Authentication Proxy?

3. (Optional) If you want to use the Challenge Mode, change:

mode: standard

To:

mode: challenge

Then, you can set the message displayed on the challenge request:

challenge_request: “Enter Your MFA Code”

If you do not set challenge_request in the config file, the default message will be used instead, as defined in the Rublon Authentication Proxy documentation.

Add RADIUS Server Profile

1. Log in to the Palo Alto administrator panel.

2. Select the Device tab and then select Server Profiles → RADIUS.

3. Click Add at the bottom of the page to add a new RADIUS server.

4. In Profile Name, enter a name for your RADIUS server, e.g., Rublon Authentication Proxy.

5. Set Timeout to 30-60 seconds (60 if you wish to use the Mobile Push authentication method).

6. Set Retries to 3.

7. In Authentication Protocol, select PAP.

Note

For users using older versions of the PAN-OS 7.x, the auth protocol can only be set in the CLI with the command:

set authentication radius-auth-type pap

8. In Servers, click Add and enter the following information.

Name	Enter a name for your RADIUS server, e.g., Rublon Authentication Proxy.
RADIUS Server	Enter the IP address or hostname of your Rublon Authentication Proxy server.
Secret	Enter the RADIUS_SECRET you set in the Rublon Authentication Proxy’s config file.
Port	Enter the port of your Rublon Authentication Proxy server (default: 1812)

9. Click OK to save your new RADIUS server profile.

Add Authentication Profile

1. Go to Device → Authentication Profile.

2. Click Add to add a new authentication profile.

3. Fill in the form. Refer to the following image and table.

Name	Enter a name for your authentication profile, e.g., Rublon Authentication Proxy.
Type	Select RADIUS.
Server Profile	Select the RADIUS Server Profile you have created before.
User Domain	Leave empty.
Username Modifier	%USERINPUT%

4. Select the Advanced tab. In the Allow List, click the Add button and select all.

5. Click OK to save your authentication profile.

Configure GlobalProtect Gateway

1. Select the Network tab.

2. Go to GlobalProtect → Gateways.

3. Click your GlobalProtect Gateway profile name to open its properties.

4. In the newly-opened window, select the Authentication tab.

5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

6. Fill in the Client Authentication form with the following information.

Name	Enter a descriptive name, e.g., GlobalProtect_Rublon.
OS	Any
Authentication Profile	Select the Authentication Profile you have created before.

7. Click OK to save Client Authentication information.

8. (Optional) Thanks to this option, users who have already connected to the VPN will not have to undergo 2FA again when reconnecting. This option also limits the number of requests sent by Rublon when trying to reconnect.

Select the Agent tab, and then select the Client Settings tab.
Select the profile to enter its properties, and go to Authentication Override.
Check both options:

Generate cookie for authentication override
Accept cookie for authentication override (this option requires you to select the SSL certificate imported to GlobalProtect)

Click OK to save the changes.

9. Click OK to save your choices and finish your GlobalProtect Gateway configuration.

Configure GlobalProtect Portal

IMPORTANT

(OPTIONAL) We recommend you leave the GlobalProtect Portal to use standard authentication methods (LDAP, AD, Local user base, etc.) only.

The GlobalProtect Gateway configuration is sufficient for Rublon 2FA to work properly. Configuring GlobalProtect Portal for Rublon 2FA is optional. If you decide to secure the GlobalProtect Portal with Rublon, users may have to authenticate twice when accessing the GlobalProtect Portal, which may disrupt the end-user experience.

1. Select the Network tab and then go to GlobalProtect → Portals.

2. Click your GlobalProtect Portal to open the properties window.

3. In the new window, select the Authentication tab and click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

4. Fill in the form. Refer to the following image and table.

Name	Enter a descriptive name, e.g., GlobalProtect_Rublon.
OS	Any
Authentication Profile	Select the Authentication Profile you have created before.

5. Click OK to save the settings. Then, click OK again to finish your GlobalProtect Portal configuration.

Commit Your Configuration

1. Click Commit in the upper-right corner of the administrator panel.

2. A new window will open for you to preview changes.

3. Click Commit to make your changes take effect.

Log in to Palo Alto GlobalProtect with Rublon 2FA

This example portrays connecting via the Palo Alto VPN client with Rublon 2FA.

Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push)
We assume you have already installed and configured the VPN client. To download the client, log in to the GlobalProtect website and download the VPN client. Note that if you configured the GlobalProtect Portal for Rublon 2FA, you will be required to undergo Rublon 2FA authentication before downloading the client.

To log in to Palo Alto GlobalProtect with Rublon 2FA (and test your configuration):

1. Open your VPN client, enter your portal address, and click Connect.

2. Provide your username and password and click Connect.

3. You will receive a push notification on your phone.

4. Tap APPROVE.

5. You will get connected to Palo Alto GlobalProtect.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations