During the COVID-19 lockdown I was asked to setup a VPN and secure it with two factor authentication. Below I detail the steps to configure DUO with Palo Alto GlobalProtect.
There is a couple of assumptions here. You have experience with PAN OS and have setup Palo Alto GlobalProtect. The Palo Alto deployment method is Global Protect client based IPSec VPN with SSL fallback. For DUO we are going to use RADIUS deployment method with the DUO Proxy.
More information on the deployment methods of DUO can be found here
Duo Proxy Configuration
Select Applications menu option in your DUO admin panel tenancy. Select protect an application and Palo Alto SSL VPN. Make a note of your integration and secret keys. These are used to configure the Duo proxy.
Configure a local Windows VM on your windows domain. Install the DUO Proxy from here. It is a standard setup file. Once installed you need to configure the proxy by editing the authproxy.cfg file in C:\Program Files (x86)\Duo Security Authentication Proxy\conf\
interface = x.x.x.x
[ad_client] host = 192.168.1.1
search_dn = DC=contoso,DC=com
service_account_username = ldap
service_account_password = secretpassword
[radius_server_auto] ikey = yourikeyhere
skey = yourskeyhere
api_host = api-xxxxxxxx.duosecurity.com
radius_ip_1 = 192.168.1.254
radius_secret_1 = myradiussecret
port = 1812
client = ad_client
client_ip_attr = paloalto
OK so in this example we are pointing the DUO Proxy to the PA firewall interface 192.168.1.254 as the radius authenticator. I also configure the interface IP of the server to bind to. This is handy for servers that have multiple nics. Substitute your secrets such as ikey / skey and the ip addresses as per above. Once configured, save the file and start the service from services.msc. Note that the service will not start if there is a misconfiguration in the config file. It is also cool that you can bind the DUO Proxy to any port. I am using 1812, however if your sever had Microsoft NPS on it already using 1812, you can use a non standard port for RADIUS such as 1810.
Palo Alto Configuration
Configure the PA to point to the DUO Proxy. Essentially the DUO Proxy is a RADIUS server:
Device > Server Profiles > RADIUS
Set IP of DUO Proxy and Port.
Configure Authentication Profile.
Device > Authentication Profile:
Set Server Profile to the previous created RADIUS profile. Set User Domain to your Active Directory short hand domain name. This means users wont have to type the domain name on the Global Protect client login (only the username).
Configure GlobalProtect Gateway.
Network > GlobalProtect > Gateways > edit gateway and select Authentication tab. Set the authentication profile to be the one we just configured in step 4.
Step 4 (Optional).
Continuing with GlobalProtect Gateway settings:
Click the Agent tab on the left and then click the Client Settings tab. Click on the name of your config to open it.
Click on Authentication Override. Tick generate cookie and accept cookie and set the lifetime. You will need to select a valid certificate for authentication cookie Encrypt and Decrypt. This will make it so once the user passes both GlobalProtect and DUO authentication they wont have to re-authenticate during this time period. For example if the deployment is for work from home and the user gets disconnected due to home broadband drop out, once reconnected during the cookie window user wont be asked for authentication.
Under Gateway > Agent > Tunnel Settings. Be sure to tick “Enable IPSec”. The PA will try to negotiate IPSec first, if it cant it will fall back to TLS (SSL). You can also set the IPSec Crypto policy to use more secure method here such as AES-256-GCM.
Click OK twice and save / commit all of the settings.