A few days ago we configured SSL VPN in Palo Alto Networks Next-Generation Firewall. Now we will modify the setup to introduce Duo Security’s two factor authentication. Duo’s two factor authentication enables users to secure their SSL VPN portal logins using their smartphones. A free smartphone application (for iPhone, Android, Blackberry or Windows device) can generate passcodes (just like the hardware token devices) or can use Push technology for one-tap login approval. Duo Security’s website is full of information on how this technology works!
We will start with the installation of Duo Security’s Authentication Proxy and we will modify our Palo Alto setup to implement two-factor authentication. A detailed integration manual is available at this link, but it misses an important setting that took me a long time to figure it out.
First signup for a Duo account, goto integration page and create a Palo Alto SSL VPN integration to get the key, the secret key and the API hostname. Then download the Duo Authentication Proxy for Windows. In our example, we installed the application on a Windows 2008R2 server by following the wizard setup screens. After that, we configured the proxy by editing the “C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg” configuration file and following the guidelines of the aforementioned integration manual to configure the various parameters. But there is a more detailed reference guide for the authentication proxy at this link.
A simple configuration file looks like this:
host=192.168.1.1 (the ip of the primary DC)
(the ip of a secondary DC)
service_account_username=serviceaccount (the AD account that runs AuthProxy service and reads from AD)
service_account_password=******** (the password of the previous account)
search_dn=OU=MyOrganization,DC=MyCompany,DC=local (your base DN that your SSL VPN accounts live in)
api_host=api-abcdefg.duosecurity.com (provided by Duo Security)
(provided by Duo Security)
(provided by Duo Security)
radius_ip_1=192.168.1.3 (Active High Available PA node)
(Secondary High Available PA node)
radius_secret_2=************ (RADIUS key)
When we used this configuration, our SSL VPN connections failed due to wrong credentials. Further examination of the log files showed that the problem resided on the Active Directory authentication. We had to edit the log on parameter of “Duo Security Authentication Proxy” service and replace the Local System account to the configured AD serviceaccount in order to authenticate us properly! Unfortunately this is not mentioned in Duo Security’s integration manual.
The setup on Palo Alto’s side is pretty straight forward. First goto Device – Server Profiles – RADIUS and make a new one, for example Duo RADIUS Profile and type in the server the Duo Security Authentication Proxy service resides, the shared key for the communication between the two devices and leave the port to 1812.
Next create a new Authentication Profile e.g. SSLVPN_RADIUS_w_DUO, insert your desired lockout parameters and edit the allow list by inserting your SSL VPN users. Finally select Authentication “RADIUS” and as a Server Profile, the one that we created before, Duo RADIUS Profile.
Finally, Goto SSLVPN Profile and select the new Authentication Profile we just created, SSLVPN_RADIUS_w_Duo. Commit the changes and you are ready to go!
Don’t forget to insert your SSL VPN users in your Duo Security website account, insert their mobile phones and enable the Duo Push action following the detailed guides on Duo’s website.