Palo Alto Networks Integration

From Swivel Knowledgebase
Jump to: navigation, search


Introduction

This document describes steps to configure a Palo Alto Networks Firewall with Swivel as the authentication server using RADIUS with SMS, Mobile Phone Client, and Taskbar Authentication. The solution is tested with a Palo Alto Networks GlobalProtect client.


Prerequisites

Palo Alto Networks Firewall

Palo Alto Networks documentation

Swivel 3.x, 3.5 or later for RADIUS groups


Baseline

Palo Alto Networks PA-2050

Palo Alto Networks Software 4.1.6

Palo Alto Networks GlobalProtect Client 1.14 and 1.15

Swivel 3.8


Architecture

The Palo Alto Networks makes authentication requests against the PINsafe server by RADIUS.


Swivel Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the Swivel Administration console by selecting RADIUS Server. To turn on RADIUS authentication set Server Enabled to YES. The Host or IP address is the interface which will accept RADIUS requests, leave this blank to allow RADIUS requests on any interface. (In this example the HOST IP is set to 0.0.0.0 which is the same as leaving it blank).

For troubleshooting RADIUS debug can be enabled together with the debug log option, see Debug how to guide

Note: for appliances, the Swivel VIP should not be used as the server IP address, see VIP on PINsafe Appliances


PINsafe36RADIUSserver.JPG


Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.


PINsafe 36 generic RADIUS NAS.JPG


You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP are supported. All users will be able to authenticate via this NAS unless authentication is restricted to a specific repository group.


Enabling Session creation with username

The Swivel server can be configured to return an image stream containing a TURing image in the Taskbar

Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.

To test your configuration you can use the following URL using a valid Swivel username:

Appliance

https://Swivel_server_IP:8443/proxy/SCImage?username=testuser

For a software only install see Software Only Installationr


Palo Alto Networks Configuration

Create a RADIUS Server Profile

On the Palo Alto Networks Administration console select the Device tab then Server Profiles and then RADIUS, and click on Add.


PaloAltoDeviceAddRADIUSserver.jpg


Enter the following information:

Name Descriptive name for the authentication server

Domain A domain to be appended to the authentication request

IP address or hostname of the Swivel server

Shared secret as entered on the PINsafe server

Port usually 1812 by default


PaloAltoDevice.jpg


Create an Authentication Profile

On the Palo Alto Networks Administration console select the Device tab then Authentication profiles, and click on New. Enter a name and select RADIUS as the authentication type, and the Swivel server for the profile.


PaloAltoDeviceAuthenticationProfile.jpg


PaloAltoDeviceAuthenticationProfilecreated.jpg


Configure the GlobalProtect Portal to use Swivel RADIUS Authentication

On the Palo Alto Networks Administration console select the Network tab then SSL-VPN, either edit an existing GlobalProtect Portal or configure a new one by clicking on New.

Configure the Authentication Profile to use the authentication profile created above.


PaloAltoNetworkSSLVPNAdd.jpg


Configure the GlobalProtect Gateway to use Swivel RADIUS Authentication

On the Palo Alto Networks Administration console select the Network tab then SSL-VPN, either edit an existing GlobalProtect Gateway or configure a new one by clicking on New.


Configure the Authentication Profile to use the authentication profile created above.


2PaloAltoDeviceGlobalProtectGateway.jpg


Additional Configuration Options

Challenge and Response with Two Stage Authentication

Challenge and Response is supported by using Two Stage authentication and Check Password with Repository using RADIUS PAP authentication. See Challenge and Response How to Guide.

Enter Password


PaloAltoGlobalProtectGatewayPassword.jpg


Enter OTC


PaloAltoGlobalProtectGatewayOTC.jpg


IF OTC is correct then connection will be established


PaloAltoGlobalProtectGatewayConnectedjpg.jpg


Testing

Connect to the GlobalProtect Client and authenticate using RADIUS authentication.


Troubleshooting

Check the PINsafe logs for RADIUS requests.


Known Issues and Limitations

None


Additional Information

For assistance in the Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com