Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS.



Similar documents
Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Configure your firewall for administrative access via RADIUS authentication

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Managing User Accounts

pcanywhere Advanced Configuration Guide

Device Management. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Configuring User Identification via Active Directory

NetMotion + YubiRADIUS Quick Start Guide

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Managing User Accounts

Multi-factor Authentication using Radius

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Global Protect SSL VPN with a user-defined port

Integrating LANGuardian with Active Directory

Installation Steps for PAN User-ID Agent

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Install MS SQL Server 2012 Express Edition

MICROSOFT ISA SERVER 2006

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Immotec Systems, Inc. SQL Server 2005 Installation Document

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Integration

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

System Administration and Log Management

Active Directory Management. Agent Deployment Guide

Security Assertion Markup Language (SAML) Site Manager Setup

RSA Authentication Manager 7.1 Basic Exercises

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Active Directory integration with CloudByte ElastiStor

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

netld External Authentication Setup Guide

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

Set Up Setup with Microsoft Outlook 2007 using POP3

IIS, FTP Server and Windows

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Active Directory Authentication Integration

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Basic Exchange Setup Guide

Your Question. Net Report Answer

CONSOLEWORKS WINDOWS EVENT FORWARDER START-UP GUIDE

APPLICATION NOTE No

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

IDENTIKEY Appliance Administrator Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Microsoft IAS Configuration for RADIUS Authorization

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Using LDAP Authentication in a PowerCenter Domain

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

Adobe Connect LMS Integration for Blackboard Learn 9

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

Install SQL Server 2014 Express Edition

Basic Exchange Setup Guide

Preparing for GO!Enterprise MDM On-Demand Service

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Installing SQL Express. For CribMaster 9.2 and Later

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

How to Configure Web Authentication on a ProCurve Switch

WirelessOffice Administrator LDAP/Active Directory Support

nexvortex Setup Guide

RSA Authentication Manager 7.1 Administrator s Guide

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Active Directory Requirements and Setup

Cloud Services ADM. Agent Deployment Guide

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

NetSupport DNA Configuration of Microsoft SQL Server Express

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Delegated Administration Quick Start

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

Active Directory Self-Service FAQ

Changing Passwords in Cisco Unity 8.x

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Two-Factor Authentication

Managing User Accounts

PowerLink for Blackboard Vista and Campus Edition Install Guide

Defender Token Deployment System Quick Start Guide

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

CTI Concerto Predictive Dialer Setup Instructions. Version 4

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

Transcription:

Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS. Prepared for Palo Alto Networks by James Costello Armada Data Solutions Palo Alto Networks Partner 970 Peachtree Industrial Blvd Sunwanee GA, 30024

Configuring Steel-Belted RADIUS authentication for a Palo Alto Firewall Juniper s Steel-Belted RADIUS is a corporate solution for RADIUS authentication. This document is based upon Steel-Belted RADIUS Enterprise Edition and describes how to configure a local user account to authenticate. LDAP authentication differs slightly. Palo Alto Firewall RADIUS configuration 1. Login to the Palo Alto Firewall 2. Go to Device > Server Profiles > RADIUS 2011 Palo Alto Networks Page 2

1. Click Add and enter the following information a. Name b. Domain c. Timeout adjustment d. Retries e. Check Administrator Use Only if this will be for Palo Alto device authentication f. Click Add and enter the following information 2011 Palo Alto Networks Page 3

i. Name ii. IP address iii. Port iv. Shared Secret v. Repeat for each additional RADIUS device (up to 3 total) b. Click OK 3. Go to Device > Authentication Profiles 2011 Palo Alto Networks Page 4

1. Click Add and enter the following information a. Enter a name to identify the profile. b. Select the virtual system from the drop-down list or select shared c. Enter the number of failed login attempts that are allowed before the account is locked out (1-10, default 0). 0 means that there is no limit. d. Enter the number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked. e. Specify the users and groups that are explicitly allowed to authenticate. i. Click Edit Allow List and do any of the following: 2011 Palo Alto Networks Page 5

1. Select the check box next to the appropriate user or user group in the Available column, and click Add to add your selections to the Selected column. 2. Use the All check box to apply to all users. 3. Enter the first few characters of a name in the Search field to list all the users and user groups that start with those characters. Selecting an item in the list sets the check box in the Available column. Repeat this process as often as needed, and then click Add. 4. To remove users or user groups, select the appropriate check boxes in the Selected column and click Remove, or select any to clear all users. 2011 Palo Alto Networks Page 6

b. Choose RADIUS as the type of authentication a. Select the RADIUS authentication server from the drop-down list. b. Click OK 4. Optional Step Assigning RADIUS as authentication method for Palo Alto a. Device > Setup >Edit setup (main window in right pane) b. Click Edit c. Use the drop down on Authentication Profile to select the profile that was created above. d. Click Ok 5. Click Commit to commit the configuration 2011 Palo Alto Networks Page 7

Steel-Belted RADIUS Configuration Dictionary 1. Radius\Service on Windows computers or /opt/jnprsbr/radius on Solaris/Linux computers 2. Restart the RADIUS service to recognize the new dictionary file RADIUS Client 1. Launch the SBR Administrator 2. Click on RADIUS Clients item in the left window 3. Click Add 2011 Palo Alto Networks Page 8

4. Enter the following information a. Name (unique for each device is recommended) b. IP Address c. Shared Secret d. Select Palo Alto for the Make or model e. All other fields are optional f. Click OK Setup a Profile 1. Click on Profiles in the left window 2011 Palo Alto Networks Page 9

2. Click Add 3. Enter the following information a. Name - must be unique b. Description helpful but not required c. Click on the Attributes Return List tab d. Click Add 2011 Palo Alto Networks Page 10

i. Scroll down to Paloalto-Admin-Role Attribute and add the appropriate role name for this profile 1. superuser 2. superreader 3. deviceadmin 4. devicereader 5. Custom Admin Profiles can be added as well see the Palo Alto Administration guides for how to set those up. ii. Click Add e. Repeat additions for the other attributes as needed i. PaloAlto-Admin-Access-Domain 1. PaloAlto-Admin-Access-Domain is the name of the access domain object defined on the Palo Alto Networks device ii. PaloAlto-Panorama-Admin-Role 1. PaloAlto-Panorama-Admin-Role is the name of the role for the user it can be the name of a custom Admin role profile configured on the Panorama server or one of the following predefined roles a. superuser : Superuser b. superreader : Superuser (read-only) c. panorama-admin : Panorama administrator iii. PaloAlto-Panorama-Admin-Access-Domain 1. PaloAlto-Panorama-Admin-Access-Domain is the name of the access domain object defined on the Panorama server iv. PaloAlto-User-Group 1. PaloAlto-User-Group is the name of the group of users that can be used in allow lists in authentication profiles for access control purposes v. When done click Close f. Click OK 2011 Palo Alto Networks Page 11

Setup Native User authentication 1. Click on Users and then Native in the left window 2. Click Add Conclusion a. Enter the following information: i. Name (must be unique) ii. Password iii. Description iv. Check Use Profile and use the drop down to select the Profile that was created in previous steps. b. Click OK That is basic configuration using Steel-Belted RADIUS. It is possible to use Active Directory, TACACS +, Secure ID and LDAP to do back end authentication but those are outside the scope of this initial configuration document. 2011 Palo Alto Networks Page 12

Appendix 1: The paloalto.dct file # @radius.dct # # # Palo Alto Networks - Steel Belted RADIUS Dictionary File # ATTRIBUTE Paloalto-Admin-Role 26 [vid=25461 type1=1 len1=+2 data=string] r # PaloAlto-Admin-Role is the name of the role for the user # it can be the name of a custom Admin role profile configured on the # Palo Alto Networks device or one of the following predefined roles # superuser : Superuser # superreader : Superuser (read-only) # deviceadmin : Device administrator # devicereader : Device administrator (read-only) # vsysadmin : Virtual system administrator # vsysreader : Virtual system administrator (read-only) ATTRIBUTE PaloAlto-Admin-Access-Domain 26 [vid=25461 type1=2 len1=+2 data=string] r # PaloAlto-Admin-Access-Domain is the name of the access domain object defined # on the Palo Alto Networks device ATTRIBUTE PaloAlto-Panorama-Admin-Role 26 [vid=25461 type1=3 len1=+2 data=string] r # PaloAlto-Panorama-Admin-Role is the name of the role for the user # it can be the name of a custom Admin role profile configured on the # Panorama server or one of the following predefined roles # superuser : Superuser # superreader : Superuser (read-only) # panorama-admin : Panorama administrator ATTRIBUTE PaloAlto-Panorama-Admin-Access-Domain 26 [vid=25461 type1=4 len1=+2 data=string] r # PaloAlto-Panorama-Admin-Access-Domain is the name of the access domain # object defined on the Panorama server ATTRIBUTE PaloAlto-User-Group 26 [vid=25461 type1=5 len1=+2 data=string] r # PaloAlto-User-Group is the name of the group of users that can be used in # allow lists in authentication profiles for access control purposes # # #Note this text may contain artifacts from Microsoft Word that will need to be removed. 2011 Palo Alto Networks Page 13