Palo Alto NGFW Global Protect - RADIUS Configuration in Cloud Access Service- RSA Ready Implementation Guide
17 days ago

This article describes how to integrate Palo Alto NGFW Global Protect with RSA Cloud Access Service (CAS) using RADIUS.

  

Configure CAS

Perform these steps to configure CAS using RADIUS.

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Click Authentication Clients > RADIUS.
  3. Click Add Radius Client and Profiles.
  4. On the RADIUS Client page, enter the following:
    1. Name: A descriptive name for the RADIUS client.
    2. IP Address: The IP address of the machine on which Palo Alto NGFW is installed.
    3. Shared Secret: The secret that you will configure in Palo Alto NGFW. The IP Address and Shared Secret in RSA and Palo Alto NGFW must match.
  5. Choose your Authentication Details and Access Policy.
  6. Click Save and Next Step, and click Finish to complete the configuration.
  7. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

  

Notes

  • The RSA Cloud Authentication RADIUS server is configured to listen on UDP port 1812.  
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive
    

Configure Palo Alto NGFW Global Protect

Perform these steps to configure Palo Alto NGFW Global Protect.

Procedure 

  1. Log in to the Palo Alto NGFW Admin UI.
  2. Click Device > RADIUS > Add.
  3.  Enter a name for the RADIUS Server profile. If you are using advanced authentications (for example, Biometrics or Approve), then set the Timeout (sec) to 60 and Retries to 1. If you are using OTP, set the Timeout (sec) to 30
  4. Set the Authentication Protocol to PAP.
  5. Click Add under the Servers section and enter the RSA RADIUS server details:
    1. Name: Choose a name for the server.
    2. RADIUS Server: Enter the Identity Router Management IP.
    3. Secret: Same secret that was configured earlier in RSA.
    4. Port: Default RADIUS port is 1812.

  6. In the left pane, click Authentication Profile. A RADIUS Authentication Profile is created and tied to the RADIUS server created earlier. 

  7. On the Authentication Profile section:
    1. In the Type drop-down list, choose RADIUS.
    2. In the Server Profile drop-down list, choose the RADIUS Server Profile that was created.
    3. In the Username Modifier field, change it accordingly if the username needs to be sent to RSA in a different format. By default, this is set to %UserInput%, which is the value that the user enters as it is.
  8. Click the Advanced tab.
    It displays users who will be permitted to use this profile. 
  9. To configure Global Protect, navigate to Network > Global Protect > Portals.
  10. Click Add to add a new Global Protect Portal or open an existing portal and edit the Authentication settings of the portal.
  11. On the Global Protect Portal Configuration page, navigate to Authentication and click Add under Client Authentication.
  12. On the Client Authentication page, choose a name and in the Authentication Profile drop-down list, choose the profile that was created earlier.
  13. In the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.
  14. To apply the RSA Authentication on the gateway, go to Network > Global Protect > Gateways.
  15. Click Add to add a new Global Protect gateway or open an existing gateway and edit the Authentication settings of the gateway.
  16. On the Global Protect Gateway Configuration page, navigate to Authentication and click Add under Client Authentication.
  17. Choose a pre-created SSL/TLS Service profile created for the environment. 
  18. On the Client Authentication page, choose a name and in the Authentication Profile drop-down list, choose the profile that was created earlier.
  19. In the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.

 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?