Multi-Factor Authentication (2FA/MFA) for Palo Alto GlobalProtect – RADIUS

Last updated on March 8th, 2023

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Palo Alto GlobalProtect VPN. To achieve that using RADIUS (e.g., FreeRADIUS), you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Palo Alto GlobalProtect VPN to add Two-Factor Authentication to your VPN logins.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Keys	–	N/A
Mobile Passcodes	✔	N/A
SMS Passcodes	–	N/A
QR Codes	–	N/A
Email Links	✔	N/A
YubiKey OTP Security Keys	–	N/A

Before You Start

Ensure that you have properly and fully configured your Palo Alto GlobalProtect VPN. Then, install and configure Rublon Authentication Proxy before configuring Palo Alto GlobalProtect VPN to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Configuration

Follow these steps to enable Rublon 2FA for Palo Alto GlobalProtect VPN.

Add RADIUS Server Profile

1. Log in to the Palo Alto administrator panel.

2. Select the Device tab and then select Server Profiles → RADIUS.

3. Click Add at the bottom of the page to add a new RADIUS server.

4. In Profile Name, enter a name for your RADIUS server, e.g., Rublon Authentication Proxy.

5. Set Timeout to 30-60 seconds (60 if you wish to use the Mobile Push authentication method).

6. Set Retries to 3.

7. In Authentication Protocol, select PAP.

8. In Servers, click Add and enter the following information.

Name	Enter a name for your RADIUS server, e.g., Rublon Authentication Proxy.
RADIUS Server	Enter the IP address or hostname of your Rublon Authentication Proxy server.
Secret	Enter the RADIUS_SECRET you set in the Rublon Authentication Proxy’s config file.
Port	Enter the port of your Rublon Authentication Proxy server (default: 1812)

9. Click OK to save your new RADIUS server profile.

Add Authentication Profile

1. Go to Device → Authentication Profile.

2. Click Add to add a new authentication profile.

3. Fill in the form. Refer to the following image and table.

Name	Enter a name for your authentication profile, e.g., Rublon Authentication Proxy.
Type	Select RADIUS.
Server Profile	Select the RADIUS Server Profile you have created before.
User Domain	Leave empty.
Username Modifier	%USERINPUT%

4. Select the Advanced tab. In the Allow List, click the Add button and select all.

5. Click OK to save your authentication profile.

Configure GlobalProtect Gateway

1. Select the Network tab.

2. Go to GlobalProtect → Gateways.

3. Click your GlobalProtect Gateway profile name to open its properties.

4. In the newly-opened window, select the Authentication tab.

5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

6. Fill in the Client Authentication form with the following information.

Name	Enter a descriptive name, e.g., GlobalProtect_Rublon.
OS	Any
Authentication Profile	Select the Authentication Profile you have created before.

7. Click OK to save Client Authentication information.

8. (Optional) Thanks to this option, users who have already connected to the VPN will not have to undergo 2FA again when reconnecting. This option also limits the number of requests sent by Rublon when trying to reconnect.

1. Select the Agent tab, and then select the Client Settings tab.
2. Select the profile to enter its properties, and go to Authentication Override.
3. Check both options:

• Generate cookie for authentication override
• Accept cookie for authentication override (this option requires you to select the SSL certificate imported to GlobalProtect)

4. Click OK to save the changes.

9.  Click OK to save your choices and finish your GlobalProtect Gateway configuration.

Configure GlobalProtect Portal

1. Select the Network tab and then go to GlobalProtect → Portals.

2. Click your GlobalProtect Portal to open the properties window.

3. In the new window, select the Authentication tab and click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

4. Fill in the form. Refer to the following image and table.

Name	Enter a descriptive name, e.g., GlobalProtect_Rublon.
OS	Any
Authentication Profile	Select the Authentication Profile you have created before.

5. Click OK to save the settings. Then, click OK again to finish your GlobalProtect Portal configuration.

Commit Your Configuration

1. Click Commit in the upper-right corner of the administrator panel.

2. A new window will open for you to preview changes.

3. Click Commit to make your changes take effect.

Log in to Palo Alto GlobalProtect with Rublon 2FA

This example portrays connecting via the Palo Alto VPN client with Rublon 2FA.

• Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push)
• We assume you have already installed and configured the VPN client. To download the client, log in to the GlobalProtect website and download the VPN client. Note that if you configured the GlobalProtect Portal for Rublon 2FA, you will be required to undergo Rublon 2FA authentication before downloading the client.

To log in to Palo Alto GlobalProtect with Rublon 2FA (and test your configuration):

1. Open your VPN client, enter your portal address, and click Connect.

2. Provide your username and password and click Connect.

3. You will receive a push notification on your phone. 

4. Tap APPROVE.

5. You will get connected to Palo Alto GlobalProtect.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations