Announcements

SecurID® Integrations

Palo Alto NGFW 10.1.7 - RSA Ready Implementation Guide

Certified: November 20, 2022

Solution Summary

This section describes Palo Alto NGFW integration with RSA SecurID (or ID Plus). Use this information to determine which use case and integration type your deployment will employ.

Integration Types

RSA MFA API (REST) integrations can provide a rich user interface with all RSA SecurID Access features within the partner application. Refer to the Supported Features section in this guide to see which features this partner application has implemented.

RADIUS integrations provide a text driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.

SSO integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to Cloud Authentication Service for authentication. SSO provides Single Sign-On using the IDR My Applications/My Page Portal.

Relying party integrations use SAML 2.0 to direct users’ web browsers to Cloud Authentication Service for authentication. Primary authentication is configurable, so relying party can be a good choice for adding additional authentication (only) to existing deployments.

Supported Features

This section shows all the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA SecurID Access with Palo Alto NGFW using each integration type.

Palo Alto NGFW Integration with RSA Cloud Authentication Service

Authentication Methods

RSA MFA API (REST)

RADIUS

Relying Party

SSO

RSA SecurID

-

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

LDAP Password

-

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

Authenticate Approve

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

Authenticate OTP

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

Device Biometrics

-

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

SMS OTP

-

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

Voice OTP

-

Saneesh_20-1677563301822.png

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

FIDO Security Key

-

-

Saneesh_20-1677563301822.png Saneesh_20-1677563301822.png

 

Palo Alto NGFW Integration with RSA Authentication Manager

Authentication Methods

RSA MFA API (REST)

RADIUS

Authentication Agent

RSA SecurID

-

Saneesh_20-1677563301822.png

-

Risk Based Authentication

-

-

-

 

Saneesh_20-1677563301822.png

Supported

-

 

Not Supported

n/a

Not Applicable

n/t

Not yet tested or

documented, but may be possible

 

Note: The RSA SecurID Access authentication methods are referred to by different names in the Palo Alto NGFW user interface. Authenticate Approve is referred to as “Push” and Authenticate OTP is referred to as “PIN Code".

Configuration Summary

This section contains instruction steps that show how to integrate Palo Alto NGFW with RSA SecurID using all of the integration types.

This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All RSA SecurID and Palo Alto NGFW components must be installed and working prior to the integration.

All of the supported use cases of RSA SecurID Access with Palo Alto NGFW require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.

Integration Configuration

RSA Cloud Authentication Service

RSA Authentication Manager

References

RSA Terminology Changes

The following table describes the differences in the terminologies used in the different versions of RSA products and components. 

Previous Version

New Version

Examples/Comments

Company ID Organization ID  
Account Credential  
Token OTP Credential

SecurID OTP Credential

Tokencode OTP/Access Code

SecurID OTP, SMS OTP, Voice OTP

Emergency Access Code, Disable Access Code

Hardware Token Hardware Authenticator  
Device Serial Number Binding ID  
Device Credential/Authenticator  
Device Registration Code Registration Code  
Authenticate App Authenticator App  

 

Known Issues

Multi-Factor Authentication (REST API) Authentication Methods.
Palo Alto NGFW supports Authenticate Approve and Authenticate OTP authentication methods only. When you select an RSA assurance policy you must ensure that one or both methods will be available at the specified assurance level, or the user will not be able to authenticate.

Configuration for Authentication Manager to have LDAP + Passcode.
Palo Alto in the Configuration used to enable LDAP on Portal and RADIUS in Gateway, in some versions Palo Alto sends the LDAP password to the RSA AM in the RADIUS request as an extra packet + what it sends to the LDAP server, so you will get Passcode Format Error followed by succeeded after RADIUS is completed. It should not lock users as there are no consecutive rejects if the RADIUS timeout is configured correctly.

FIDO Authentication Not Working with Global Protect Embedded Browser.
Palo Alto Global Protect VPN Client does not support FIDO using its own embedded browser, you must follow this Section to use your OS default web browser instead, you can also check this KB for further setup and scenarios.

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/default-browser-for-saml-authentication

 

Certification Details

RSA Authentication Manager 8.7 Patch 1, Virtual Appliance or later

Palo Alto NGFW 10.1.7, Virtual Appliance

RSA Ready certification by Mahmoud Dawoud

 

Labels (1)
No ratings
Version history
Last update:
‎2023-05-22 04:49 PM
Updated by:
Article Dashboard