This article presents information about:

• Supported Okta features
• Configure Okta
• Configure the Palo Alto VPN device
• Test the connection
• End-user experience
• Additional resources

A version of this document exists on Okta's help portal.

Okta and Palo Alto virtual VPN devices interoperate through the Okta RADIUS Agent. The agent essentially translates the RADIUS authentication requests from the VPN device into Okta API calls.

How Palo Alto VPN works at a high level: For each GlobalProject gateway, one or more authentication providers can be assigned. Each authentication provides a map to an authentication server profile, such as RADIUS, TACAS+, or LDAP.

NOTE: This guide uses a Palo Alto VM-series device, a virtual form factor. The interfaces should be consistent, but Okta cannot guarantee Palo Alto VM products.
 

Supported Okta Features

• RADIUS Integrations
• Palo Alto VPN
• Multi-Factor Authentication (MFA)
• Okta Identity Engine (OIE)
• Okta Classic Engine

1. Configure Okta

Download and install the RADIUS agent as described in Installing the Okta RADIUS Agent.
 

2. Configure the Palo Alto VPN Device

   1. Process Overview:

• • 1. Set up a RADIUS Server Profile to point to the Okta RADIUS Agent.
    2. Create an Okta Authentication Provider that uses the RADIUS Server Profile.
    3. Configure the GlobalProtect Gateway to use the Authentication Provider for login.

2. Procedure:

1. Log in to the Palo Alto Admin interface as a user with admin rights.
2. Go to Device > Server Profiles > RADIUS to create a RADIUS Server Profile.
3. Click Add.     

   

4. Enter the information specific to the Okta RADIUS Agent, including the server IP or FQDN, shared secret, and port.
5. Click OK.

    

6. Go to Device > Authentication Profile to create one.
7. Click Add.     

  

8. Enter a Name for the profile.
9. Select RADIUS as the type, and select the RADIUS Server Profile that was created above.
10. Uncheck "Retrieve user group from RADIUS."
11. Leave defaults for the remainder of this screen.
12. Click the Advanced tab.
13. Add the groups that should have access, or add the "All" group.
14. Click OK.
15. Go to Network > Gateways to link the Authentication Profile to the GlobalProject Gateway.

16. Select the Gateway that supports Okta RADIUS Authentication.
17. Click the General tab.
18. Change the Authentication Profile to the Okta RADIUS profile that was just created.

3. Test the configuration

 Palo Alto provides an authentication test command.

1. Log in to a terminal or SSH client such as Putty.
2. SSH into the Palo Alto CLI as admin.
3. Run the following command:

   test authentication authentication-profile "authentication profile name" username <username> password

    

Successful command output:

NOTE: Palo Alto attempts CHAP first, then falls back to PAP. This is hardcoded - the integration should work just fine.
 

4. Multi-Factor Authentication with Palo Alto VPN

To turn on MFA for the RADIUS agent, use the Okta Sign-On Policy.

1. In the Okta Admin UI, go to Security > Policies > Okta Sign-On Policy.
2. Using the steps outlined in Configuring Sign-On Policies, create a policy with a rule that enforces MFA for RADIUS authentications.

5. End-user experience

1. End-user experience: single-factor authentication

1. Launch GlobalConnect.
2. Select File > Connect.
3. Enter the Okta username and password.
4. Click Logon.

2. End-user experience - Multi-Factor Authentication

1. Launch GlobalConnect.
2. Enter the Okta username and password.
3. Click Logon.

3. Answer the request for a second authentication factor. This menu is dependent on the MFA factors that the end-user has selected (not which ones are active in the org.)

4. Perform the action associated with the MFA action chosen.      

Related References

• Configure Palo Alto Networks VPN
• Palo Alto - AWS Test Drive
• Okta Support - Installing RADIUS
• Okta Support - Configuring Sign-On Policies
• About multifactor authentication