<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007Mn8bPCAROkta Classic EngineMulti-Factor AuthenticationAnswered2024-03-25T11:27:08.000Z2022-01-05T16:56:04.000Z2022-01-06T18:45:38.000Z

p8st0 (p8st0) asked a question.

January 5, 2022 at 4:56 PM
MFA Radius integration with Palo Alto VPN - no LDAP(S) as first factor?

Hello all...

Testing and researching various products to add a 2nd factor to our Palo global protect clients. I don't see anywhere in the Octa documentation where their service or agent connects to AD\LDAP for a 1st factor. Tested both DUO and Login TC, and their proxies\agents connect to your on-prem AD...and you can scope AD groups that you want to trigger the 2nd Radius factor. Am I missing something or is this the intended configuration? I realize you can scope your auth profile allow list on the Palo to specific groups...and I suppose this does suffice. Just curious if I am indeed missing something. Have not started a trial just yet - only reading\researching. Thanks in advance for any help.

 

Dennis

  • 2 answers
  • 575 views

  • User1630709688426468638 (Okta)

    Hello @p8st0 (p8st0)​ 

     

    Thanks for posting.

     

    In the following diagram you will find the Okta Radius flow.

     

    Palo Alto Radius 

    First of all, the AD/LDAP integration must be configured before starting the VPN Radius process and the steps go like this:

     

    1. User sends credentials to VPN device (PALO ALTO) connected to Okta via RADIUS
    2. VPN device forwards user credentials to the Okta RADIUS Server Agent
    3. Okta RADIUS Server Agent uses Okta APIs to validate credentials
    4. Okta validates user credentials (Going to AD)
    5. Okta APIs respond with MFA challenge based on configured policy
    6. RADIUS Server Agent sends challenge to VPN device
    7. VPN device presents RADIUS challenge to end user
    8. VPN device sends RADIUS challenge response to Okta RADIUS
    9. Okta RADIUS sends response to Okta APIs to be validated
    10. Okta APIs respond with correct/incorrect for the response
    11. Okta RADIUS sends ACCEPT or REJECT to the VPN device

     

    First factor will always be username/password, and after authentication the chosen MFA factor will be displayed, as you mentioned based on the groups you choose to receive the challenge.

     

    Palo Alto VPN configuration via Radius:

    https://help.okta.com/en/prod/Content/Topics/integrations/palo-alto-radius-intg.htm?Highlight=globalprotect

     

    Palo Alto Networks supported features and factors

    https://help.okta.com/oie/en-us/Content/Topics/integrations/palo-alto-radius-intg-support.htm

     

     

    Let us know if this helps you.

     

     

    Daniela Chavarria.

    Okta Inc.

    Expand Post
This question is closed.
Loading
MFA Radius integration with Palo Alto VPN - no LDAP(S) as first factor?