Palo Alto VPN Configuration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000mbnukas&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fpalo-alto-vpn-configuration-guide
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Palo Alto VPN Configuration Guide
Published: Feb 25, 2016   -   Updated: Jun 22, 2018

In this guide:

 

Overview

A version of this document exists on our help portal

Okta and Palo Alto virtual VPN devices interoperate through the Okta RADIUS Agent. The agent essentially translates the RADIUS authentication requests from the VPN device into Okta API calls.

How Palo Alto VPN works at a high level: For each GlobalProject gateway, you can assign one or more authentication providers. Each authentication provides maps to to an authentication server profile, which can be RADIUS, TACAS+, LDAP, etc.

Note: This guide uses a Palo Alto VM series device - a virtual form factor. The interfaces should be consistent, but Okta cannot guarantee Palo Alto VM products.

Supported Okta Features

Authentication with Okta Credentials via RADIUSYes 
Authentication with Okta Credentials via SAMLNoPalo Alto VPN does not support SAML.
Multi-factor authentication via RADIUSYesTest utility fails, but the client succeeds.
Multi-factor authentication via SAMLNoPalo Alto VPN does not support SAML.
Group memberships/Attributes via RADIUSNo 

Configure Okta

Download and install the RADIUS agent according to  Installing the Okta Radius Agent.

Configure the Palo Alto VPN Device

Process Overview:

  • Set Up a RADIUS Server Profile to point to your Okta RADIUS Agent.
  • Create an Okta Authentication Provider that uses the RADIUS Server Profile.
  • Configure the GlobalProtect Gateway to use the Authentication Provider for login.

Procedure:

  1. Log into the Palo Alto Admin interface as a user with admin rights.
  2. Go to Device > Server Profiles > RADIUS to create a RADIUS Server Profile.
  3. Click Add.
Create RADIUS server profile UI screenshot.
  1. Enter the information specific to your Okta RADIUS Agent, including the server IP or FQDN, shared secret, and port.
  2. Click OK.
Enter Radius Agent details.
  1. Go to Device > Authentication Profile to create an authentication profile.
  2. Click Add.
Authentication profile details
  1. Enter a Name for the profile.
  2. Select RADIUS as the type, and select the RADIUS Server Profile that you created above.
  3. Uncheck "Retrieve user group from RADIUS."
  4. Leave defaults for the remainder of this screen.
  5. Click the Advanced tab.
  6. Add the groups that you want to have access, or the "all" group.
  7. Click OK.
  8. Go to Network > Gateways to link the Authentication Profile to the GlobalProject Gateway.
Link the authentication profile to the global gateway.
  1. Select the Gateway that supports your Okta RADIUS Authentication.
  2. Click the General tab.
  3. Change the Authentication Profile to the Okta RADIUS profile that you just created.

Test the configuration

Palo Alto provides an authentication test command.
  1. Log into a terminal or SSH client such as Putty.
  2. SSH into the Palo Alto CLI as admin.
  3. Run the following command: 
test authentication authentication-profile "authentication profile name" username <username> password
  1. Successful command output:
Successful PA test command output.
Note: Notice that Palo Alto attempts CHAP first, then fails back to PAP. This is hardcoded - the integration should work just fine.

Multi-factor authentication with Palo Alto VPN

To turn on MFA for the RADIUS agent, use the Okta Sign-On Policy.
  1. In the Okta Admin UI, go to Security > Policies > Okta Sign-On Policy.
  2. Create a policy with a rule that enforces MFA for RADIUS authentications using steps outlined in knowledge base article Configuring Sign On Policies.

End user experience

Your end users' experience depends on the authentication method chosen. End users access VPN through the GlobalConnect. client. Authentication choices include single and multi-factor methods.


End user experience: single factor authentication

  1. Launch GlobalConnect.
  2. Select File > Connect.
  3. Enter Okta username and password.
  4. Click Logon.

End user experience - multi-factor authentication

  1. Launch GlobalConnect.
  2. Enter Okta username and password.
  3. Click Logon.
  4. Answer the request for a second authentication factor. This menu is dependent on the MFA factors than the end user has selected (not which ones are active in the org.)
  5. Perform the action associated with the MFA action chosen. 
Select a multi-factor authentication method: Okta Verify or Okta Verify Push.

Learn more about MFA in the MFA End User FAQ.

Additional resources