Integrating Duo Security two factor authentication in Palo Alto Network’s SSL VPN

A few days ago we configured SSL VPN in Palo Alto Networks Next-Generation Firewall. Now we will modify the setup to introduce Duo Security’s two factor authentication. Duo’s two factor authentication enables users to secure their SSL VPN portal logins using their smartphones. A free smartphone application (for iPhone, Android, Blackberry or Windows device) can generate passcodes (just like the hardware token devices) or can use Push technology for one-tap login approval. Duo Security’s website is full of information on how this technology works!

We will start with the installation of Duo Security’s Authentication Proxy and we will modify our Palo Alto setup to implement two-factor authentication. A detailed integration manual is available at this link, but it misses an important setting that took me a long time to figure it out.

First signup for a Duo account, goto integration page and create a Palo Alto SSL VPN integration to get the key, the secret key and the API hostname. Then download the Duo Authentication Proxy for Windows. In our example, we installed the application on a Windows 2008R2 server by following the wizard setup screens. After that, we configured the proxy by editing the “C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg” configuration file and following the guidelines of the aforementioned integration manual to configure the various parameters. But there is a more detailed reference guide for the authentication proxy at this link.

A simple configuration file looks like this:

[main]
client=ad_client
server=radius_server_iframe

[ad_client]
host=192.168.1.1 (the ip of the primary DC)
host_2=192.168.1.2 (the ip of a secondary DC)
service_account_username=serviceaccount (the AD account that runs AuthProxy service and reads from AD)
service_account_password=******** (the password of the previous account)
search_dn=OU=MyOrganization,DC=MyCompany,DC=local (your base DN that your SSL VPN accounts live in)

[radius_server_iframe]
type=paloalto
api_host=api-abcdefg.duosecurity.com (provided by Duo Security)
ikey=************* (provided by Duo Security)
skey=************* (provided by Duo Security)
failmode=secure
radius_ip_1=192.168.1.3 (Active High Available PA node)
radius_secret_1=************ (RADIUS key)
radius_ip_2=192.168.1.4 (Secondary High Available PA node)
radius_secret_2=************ (RADIUS key)

When we used this configuration, our SSL VPN connections failed due to wrong credentials. Further examination of the log files showed that the problem resided on the Active Directory authentication. We had to edit the log on parameter of “Duo Security Authentication Proxy” service and replace the Local System account to the configured  AD serviceaccount in order to authenticate us properly! Unfortunately this is not mentioned in Duo Security’s integration manual.

Setting up the service account

Setting up the service account

The setup on Palo Alto’s side is pretty straight forward. First goto Device – Server Profiles – RADIUS and make a new one, for example Duo RADIUS Profile and type in the server the Duo Security Authentication Proxy service resides, the shared key for the communication between the two devices and leave the port to 1812.

RADIUS Profile

RADIUS Profile

RADIUS Profile Overview

RADIUS Profile Overview

Next create a new Authentication Profile e.g. SSLVPN_RADIUS_w_DUO, insert your desired lockout parameters and edit the allow list by inserting your SSL VPN users. Finally select Authentication “RADIUS” and as a Server Profile, the one that we created before, Duo RADIUS Profile.

Authentication Profile

Authentication Profile

Authentication Profile Overview

Authentication Profile Overview

Finally, Goto SSLVPN Profile and select the new Authentication Profile we just created, SSLVPN_RADIUS_w_Duo. Commit the changes and you are ready to go!

Don’t forget to insert your SSL VPN users in your Duo Security website account, insert their mobile phones and enable the Duo Push action following the detailed guides on Duo’s website.

Advertisements

4 thoughts on “Integrating Duo Security two factor authentication in Palo Alto Network’s SSL VPN

  1. Hi Nikos. Thanks for your helpful blog post about Duo! Can you tell us more about the integration info that was missing from the docs? You can also tweet us on that topic via @duohelp. Best Regards… David

    • Hi David. In my configuration, when the Duo Authentication Proxy Service was running with the Local System account, I could not authenticate in AD (the error was User Rejected or something like this). I changed it to an authoritative domain user, and now everything works smoothly. Keep up the good work! Nikos.

  2. Hello, a quick question: Were you actually able to test your HA ? For example if your radius_ip_1 went down, were you able to get authenticated through your radius_ip_2 ?

    • Sorry, I haven’t try it… If I had a problem with HA, I would try the latest version of Duo Security application.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s