• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Multi-Factor Authentication (2FA/MFA) for Palo Alto GlobalProtect – RADIUS

June 21, 2022 By Rublon Authors

Last updated on June 11, 2025

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Palo Alto GlobalProtect VPN. To achieve that using RADIUS (e.g., FreeRADIUS), you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Palo Alto GlobalProtect VPN to add Two-Factor Authentication to your VPN logins.

Demo Video

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push ✔ N/A
WebAuthn/U2F Security Key – N/A
Passcode ✔ N/A
SMS Passcode – N/A
SMS Link ✔ N/A
Phone Call ✔ N/A
QR Code – N/A
Email Link ✔ N/A
YubiKey OTP Security Key ✔ N/A

Before You Start

Ensure that you have properly and fully configured your Palo Alto GlobalProtect VPN. Then, install and configure Rublon Authentication Proxy before configuring Palo Alto GlobalProtect VPN to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Configuration

Follow these steps to enable Rublon 2FA for Palo Alto GlobalProtect VPN.

Add RADIUS Server Profile

1. Log in to the Palo Alto administrator panel.

2. Select the Device tab and then select Server Profiles → RADIUS.

3. Click Add at the bottom of the page to add a new RADIUS server.

4. In Profile Name, enter a name for your RADIUS server, e.g., Rublon Authentication Proxy.

5. Set Timeout to 30-60 seconds (60 if you wish to use the Mobile Push authentication method).

6. Set Retries to 3.

7. In Authentication Protocol, select PAP.

Note

For users using older versions of the PAN-OS 7.x, the auth protocol can only be set in the CLI with the command:

set authentication radius-auth-type pap

8. In Servers, click Add and enter the following information.

NameEnter a name for your RADIUS server, e.g., Rublon Authentication Proxy.
RADIUS ServerEnter the IP address or hostname of your Rublon Authentication Proxy server.
SecretEnter the RADIUS_SECRET you set in the Rublon Authentication Proxy’s config file.
PortEnter the port of your Rublon Authentication Proxy server (default: 1812)

9. Click OK to save your new RADIUS server profile.

Add Authentication Profile

1. Go to Device → Authentication Profile.

2. Click Add to add a new authentication profile.

3. Fill in the form. Refer to the following image and table.

NameEnter a name for your authentication profile, e.g., Rublon Authentication Proxy.
TypeSelect RADIUS.
Server ProfileSelect the RADIUS Server Profile you have created before.
User DomainLeave empty.
Username Modifier%USERINPUT%

4. Select the Advanced tab. In the Allow List, click the Add button and select all.

5. Click OK to save your authentication profile.

Configure GlobalProtect Gateway

1. Select the Network tab.

2. Go to GlobalProtect → Gateways.

3. Click your GlobalProtect Gateway profile name to open its properties.

4. In the newly-opened window, select the Authentication tab.

5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

6. Fill in the Client Authentication form with the following information.

NameEnter a descriptive name, e.g., GlobalProtect_Rublon. 
OSAny
Authentication ProfileSelect the Authentication Profile you have created before.

7. Click OK to save Client Authentication information.

8. (Optional) Thanks to this option, users who have already connected to the VPN will not have to undergo 2FA again when reconnecting. This option also limits the number of requests sent by Rublon when trying to reconnect.

  1. Select the Agent tab, and then select the Client Settings tab.
  2. Select the profile to enter its properties, and go to Authentication Override.
  3. Check both options:
  • Generate cookie for authentication override
  • Accept cookie for authentication override (this option requires you to select the SSL certificate imported to GlobalProtect)
  1. Click OK to save the changes.

9.  Click OK to save your choices and finish your GlobalProtect Gateway configuration.

Configure GlobalProtect Portal

IMPORTANT

(OPTIONAL) We recommend you leave the GlobalProtect Portal to use standard authentication methods (LDAP, AD, Local user base, etc.) only.

The GlobalProtect Gateway configuration is sufficient for Rublon 2FA to work properly. Configuring GlobalProtect Portal for Rublon 2FA is optional. If you decide to secure the GlobalProtect Portal with Rublon, users may have to authenticate twice when accessing the GlobalProtect Portal, which may disrupt the end-user experience.

1. Select the Network tab and then go to GlobalProtect → Portals.

2. Click your GlobalProtect Portal to open the properties window.

3. In the new window, select the Authentication tab and click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

4. Fill in the form. Refer to the following image and table.

NameEnter a descriptive name, e.g., GlobalProtect_Rublon. 
OSAny
Authentication ProfileSelect the Authentication Profile you have created before.

5. Click OK to save the settings. Then, click OK again to finish your GlobalProtect Portal configuration.

Commit Your Configuration

1. Click Commit in the upper-right corner of the administrator panel.

2. A new window will open for you to preview changes.

3. Click Commit to make your changes take effect.

Log in to Palo Alto GlobalProtect with Rublon 2FA

This example portrays connecting via the Palo Alto VPN client with Rublon 2FA.

  • Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push)
  • We assume you have already installed and configured the VPN client. To download the client, log in to the GlobalProtect website and download the VPN client. Note that if you configured the GlobalProtect Portal for Rublon 2FA, you will be required to undergo Rublon 2FA authentication before downloading the client.

To log in to Palo Alto GlobalProtect with Rublon 2FA (and test your configuration):

1. Open your VPN client, enter your portal address, and click Connect.

2. Provide your username and password and click Connect.

3. You will receive a push notification on your phone. 

4. Tap APPROVE.

5. You will get connected to Palo Alto GlobalProtect.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

Filed Under: Documentation

Primary Sidebar

Contents

  • Overview
  • Demo Video
  • Supported Authentication Methods
  • Before You Start
  • Configuration
    • Add RADIUS Server Profile
    • Add Authentication Profile
    • Configure GlobalProtect Gateway
    • Configure GlobalProtect Portal
    • Commit Your Configuration
  • Log in to Palo Alto GlobalProtect with Rublon 2FA
  • Troubleshooting
  • Related Posts
Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English