Palo Alto Networks Authentication (Yubikey OTP, GlobalProtect, Role-based authentication )

Alberto Rivai

Palo Alto Networks Firewall Radius authentication – Cisco SecureACS 4.2

BackgroundIn most enterprise deployment, centralize authentication is one of the main requirement for any network/security devices and Radius is the most popular authentication mechanism to provide centralize authentication. This paper provides configuration guide and example

Pre-requisite- Palo Alto Networks running PANOS 4.1 and above or VM-Series- Cisco SecureACS 4.1- Microsoft Windows Server 2008

The steps are comprised of 2 main function, Cisco SecureACS configuration and Palo Alto Networks Radius authentication configuration.

Cisco SecureACS configuration1. Importing Radius Vendor Specific Attributes into Cisco SecureACS

a) Download the Palo Alto Networks VSA from the below link

https://live.paloaltonetworks.com/docs/DOC-1511 or here

b) Copy the ini file into the Utils folder of the ACS server

c) Execute the CSUtil utility to import the VSA into the CSA by running the below command

CSUtil.exe –addUDV 0 “C:\Program Files\CiscoSecure ACS v4.2\Utils\PaloAltoVSA.ini”

d) Add the Palo Alto Networks firewall as AAA client in ACS server, select “Authenticate Using RADIUS (PALOALTO)

e) Select the Interface Configuration, choose RADIUS ( PALOALTO )

f) Select the attributes and click Submit

Now that the VSA have been imported, the next step is to configure the Group setting and import groups/users information from Microsoft Active Directory

g) Select External User Database

h) Select Windows Database

i) Choose the Domain name, in this example MYLAB, then click Add Mapping. In this example, we’ve created a MS AD group called “testgroup” in the Active Directory, the member of this group are the administrators or users that we want to give access to the firewall

j) Click Add to selected, then map the “testgroup” to ACS group, in this example we’ve mapped “testgroup” to Group 1, click Submit

k) The next step is to edit the attributes on the ACS Group, in this example Group 1. Click on the Group Setup, choose Group 1, then click Edit Settings

l) Jump to RADIUS (PALOALTO) section

m) Select PaloAlto-Admin-Role and PaloAlto-user-Group. In this example. PaloAlto-Admin-Role value is “testrole”, this “testrole” needs to be added in the Palo Alto Networks Admin Role configuration. PaloAlto_user-Group is the group that we’ve imported to the ACS server, “testgroup”. Click Submit and Restart.

Now that the Cisco SecureACS has been configured, the next part is to configure Palo Alto Networks Radius profile

Configuring Palo Alto Networks firewall Radius profile1. Create a Radius server profile,

Check the Retrieve User Group option; check the Administrator Use Only to use this for administrator authentication only.There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile

2. Create new Authentication ProfileThe Allow List is to specify the users and groups that are explicitly allowed to authenticate. You can leave the Allow List as “ALL” to allow any group. The group name can be typed in manually and match the VSA PaloAlto-User-Group configured in the ACS server AND match the group name in the Active Directory server. In this example the group name is “testgroup”

3. Create a new admin roleThis role is what grants the correct privileges to the user logging in. The name must match with the value of PaloAlto-Admin-Role VSA in step 1m. in this example the role name is “testrole”

4. Configure Authentication SettingsApply the authentication profile to the Palo Alto Networks device or Panorama. This is done at Device > Setup > Management > Authentication Profile on the device and at Panorama > Setup > Management > Authentication Profile on Panorama.

a. Test login to the Web UI using one of the member of the “testgroup” group.

b. To troubleshoot authentication/authorization check the authd.log by executing the below CLI command “tail follow yes mp-log authd.log”

Radius Authentication GlobalProtectTo configure GlobalProtect please follow the GlobalProtect configuration Tech note (https://live.paloaltonetworks.com/docs/DOC-2020). For the below steps to work, you need to successfully configure the first section of Radius authentication configuration.

1. Create a new Authentication profile, in this example Radius VPN. Type in manually the VPN Group in the Allow list section, this group needs to be the same name with the VPN group configured in the Active Directory/Secure ACS. Choose RADIUS as Authentication method and CiscoACS created in step 2a as the Server Profile

2. Create a new External User Databases in Secure ACS. Create a new mapping and select “vpngroup” group from Active Directory.

3. Edit the VPNGroup setting in Secure ACS and select RADIUS (PALOALTO) attributes configuration. Select “PaloAlto-User-Group” and type-in “vpngroup”. Click submit+Restart.

4. Go back to the Palo Alto Networks WebUI and go to Network->GlobalProtect->Portals. Choose the portal name and select “RadiusVPN” created in step 1 as the authentication profile.

5. Go to Gateway configuration and choose the gateway name, select “RadiusVPN” created in step 1 as the authentication profile.

Yubikey OTP authentication with YubiRadius

Pre-requisite- Palo Alto Networks Firewall running PANOS 4.1 and above OR VM-Series- GlobalProtect Client ( for VPN )- Yubiradius 3.6.1- Yubikey- Windows 2008 Enterprise

BackgroundYubiKey is a tough little chunk of plastic with USB connectors on one end and a touch-sensitive (no moving parts) button on top. Each time you touch the button it sends a static password and a dynamically-generated one-time password to any application that's listening for its input. If a spy program captures the password, so what - that particular one-time password won't be valid ever again. Yubikey is an alternative OTP solution and much cheaper than RSA SecureID.

The background of this paper is to provide an integration guide between Yubikey ( USB token ), YubiRadius ( Freeradius virtual appliance with built-in Yubikey support ) and Palo Alto Networks firewall. This paper also provides a proof of concept document for integrating two factor authentication solution with Palo Alto Networks firewall through Radius protocol.

The first section of this document is authenticating Yubikey using YubiRadius, and the second section is using Freeradius with pam_yubico module.

Both methods are authenticating against Yubicloud authentication server. The on-premise validation system is out of scope.

Test Setup- Palo Alto Networks firewall PA-200- Yubiradius 3.6.1- Yubikey v1- Windows 2008 Enterprise

Yubiradius 3.6.1 Installation/configurationTo get the solution into a functional state, these steps are required:

1. Add a domain to the Yubiradius 2. Create and configure users in a directory service AD/LDAP 3. Configure the various global configuration parameters 4. Import users from the AD server to the domain 5. Add the RADIUS client (e.g. Cisco ASA server) to the FreeRADIUS server installed on the

virtual appliance such that the FreeRADIUS server accepts the RADIUS authentication requests from the RADIUS client

6. Start the FreeRADIUS server 7. Check connectivity to the Yubicloud

Add a domain to the Yubiradius1. Make sure you have connectivity to the internet since this section use Yubicloud to verify the

OTP2. Login to the web console https://<ip address of Yubiradius>3. Use the default password for root = yubico4. Go to Domain tab5. Add a domain, in this test we’re using mylab.com

6. Leave the General tab under Global Configuration tab default

Import users from the AD server to the domain 1. Access the domain configuration and click on the Users Import tab

2. Once you filled in the necessary parameters, click Import users3. Go to Users/Groups to confirm the users import

4. Click on the user that you want to assign a new Yubikey, click Assign a new Yubikey

Add the RADIUS client1. Go to the domain configuration and click on the Configuration tab and add the Radius client

and the shared secret

2. Leave everything else default

Add Vendor Specific Attributes in the YubiRadius1. SSH to the YubiRadius2. Add the below new dictionary file in /usr/shr/freeradius folder.

3. Reference the dictionary file in the dictionary fil /usr/shr/freeradius/dictionary. Add the below line after $INCLUDE dictionary.nokia

4. Edit users file in /etc/freeradius/users and add the below lines under Default Auth-type = pap

Note = I haven’t found the way to dynamically return the attributes based on LDAP Group, this will be included in version 2 of this document.

#dictionary.paloalto VENDOR PaloAlto 25461BEGIN-VENDOR PaloAlto

ATTRIBUTE PaloAlto-Admin-Role 1 string# PaloAlto-Admin-Role is the name of the role for the user# it can be the name of a custom Admin role profile configured on the# Palo Alto Networks device or one of the following predefined roles# superuser : Superuser# superreader : Superuser (read-only)# deviceadmin : Device administrator# devicereader : Device administrator (read-only)# vsysadmin : Virtual system administrator# vsysreader : Virtual system administrator (read-only)

ATTRIBUTE PaloAlto-Admin-Access-Domain 2 string# PaloAlto-Admin-Access-Domain is the name of the access domain object defined# on the Palo Alto Networks device

ATTRIBUTE PaloAlto-Panorama-Admin-Role 3 string# PaloAlto-Panorama-Admin-Role is the name of the role for the user# it can be the name of a custom Admin role profile configured on the# Panorama server or one of the following predefined roles# superuser : Superuser# superreader : Superuser (read-only)# panorama-admin : Panorama administrator

ATTRIBUTE PaloAlto-Panorama-Admin-Access-Domain 4 string# PaloAlto-Panorama-Admin-Access-Domain is the name of the access domain # object defined on the Panorama server

ATTRIBUTE PaloAlto-User-Group 5 string# PaloAlto-User-Group is the name of the group of users that can be used in # allow lists in authentication profiles for access control purposes#END-VENDOR PaloAlto

$INCLUDE dictionary.paloalto

DEFAULT Auth-Type = pap PaloAlto-Admin-Role = "PAAdmin", PaloAlto-User-Group = "VPNgroup", Service-Type = Login-User

Palo Alto Networks admin authentication configuration1. Login to the firewall GUI2. Go to Device -> Server Profiles -> Radius 3. Click Add and enter YubiRadius server’s IP address, Port and shared key, check Administrator

Use Only if you want to use this server profile as admin login only

4. Create a new Authentication Profile, go to Device -> Authentication Profile and click Add. Select Radius on the Authentication field and select the Radius server profile from the previous step. On the Allow list, select All if you would like to allow All groups to be able to get access or type in manually the group name that is going to be returned in the radius response packet ( in this example, I use “VPNgroup” to make it consistent with the radius /etc/freeradius/users setting.

5. Create a new admin role, go to Device -> Admin Roles, click Add and select the appropriate right for each tab. In this example I am using “PAAdmin” role, to make it consistent with the radius /etc/freeradius/users setting

6. Change the authentication setting for the firewall. Go to Device -> Setup -> Management -> Authentication Settings, select the authentication profile created in step 4.

7. Click Commit8. Login to the WebUI using your username and password+OTP combination.

Palo Alto Networks GlobalProtect authentication using Yubikey OTP

1. Create a new GlobalProtect Portal, go to Network -> GlobalProtect -> Portals, click Add and select the correct setting based on your environment. In this example, I am using Ethernet1/2 as the Portal’s interface.

2. Select LDAP as the authentication Profile for the portal. This allows the users to check “Remember Me” setting on the GlobalProtect client. Usually, this is the user’s domain password.

3. Configure the Client Configuration setting.

4. Create a new GlobalProtect gateway, go to Network -> GlobalProtect -> Gateways, click Add and select the interface and IP address. In this example I am using Ethernet1/2

5. Select YubiRadius as the authentication profile. This profile is the authentication profile created in the previous section. This will allow the user to authenticate to the gateway using his/her password+OTP authentication.

Test GlobalProtect client using password+OTP

1. Configure GlobalProtect agent portal IP address to your firewall IP address, in this example I am using 192.168.5.1 as my portal address.

2. Type in your user name3. Type in your password, please note that this is your Active Directory user password since

we are using LDAP as the authentication profile for the portal4. Click Apply and connect to the portal

5. Once you have been successfully authenticated by the portal, the gateway will prompt you to authenticate. Type in the password + OTP from Yubikey into the password field ( type in your AD password then press the Yubikey).

6. To check if the user was successfully authenticated and which VSA being returned by the YubiRadius, execute the below command“tail follow yes mp-log authd.log”

Yubikey OTP authentication with Freeradius and pam_yubico

Work in progress…..