End-of-Life (EoL)

Authentication Policy and Multi-Factor Authentication

To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. Authentication policy provides the benefit of letting you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before accessing critical financial documents. To reduce the frequency of MFA challenges that interrupt the user workflow, you can specify an authentication timeout period during which a user responds to the challenges only once for repeated access to services and applications.
The MFA factors that the firewall supports include Push, Short Message Service (SMS), Voice, and One-time password (OTP) authentication. The firewall integrates with MFA vendors through:
  • APIs—The supported vendors are Duo v2, Okta Adaptive, and PingID. Palo Alto Networks will periodically add or update support for MFA vendor APIs through Applications content updates.
  • RADIUS—The firewall supports all vendors through RADIUS.
  1. Configure Captive Portal in
    Redirect
    mode.
    The firewall uses the Captive Portal web form to prompt users for the first authentication factor. The firewall also uses Captive Portal to record the timestamps associated with successful authentication events. The firewall uses the timestamps to evaluate the authentication timeout periods that you set in Authentication policy rules (later in this procedure).
  2. Configure a server profile that defines how the firewall connects to the service that provides the first authentication factor.
    For example, to add an LDAP server profile, select
    Device
    Server Profiles
    LDAP
    and
    Add
    a profile.
  3. Select
    Device
    Server Profiles
    Multi Factor Authentication
    and
    Add
    an MFA server profile for each authentication factor after the first factor.
  4. Select
    Device
    Authentication Profile
    and
    Add
    an authentication profile.
    The profile specifies the order in which the firewall evokes authentication factors.
    • First factor—Select the
      Type
      and select the
      Server Profile
      you configured.
    • Additional factors—Select
      Factors
      ,
      Enable Additional Authentication Factors
      , and
      Add
      the MFA server profiles you configured.
  5. Select
    Objects
    Authentication
    and
    Add
    an authentication enforcement object to associate the authentication profile with a Captive Portal method for authenticating users and for recording authentication timestamps.
  6. Select
    Policies
    Authentication
    and
    Add
    an Authentication policy rule.
    • For the Destination Address, you can specify the IP addresses of the services and applications (such as servers) that require authentication for users to access them.
    • For the
      Actions
      , select the
      Authentication Enforcement
      object you configured and specify the
      Timeout
      period in minutes (default 60) during which the firewall prompts the user to authenticate only once for repeated access to services and applications. The firewall evaluates the
      Timeout
      based on the timestamps it recorded for authentication events.
  7. Customize the MFA login page that the firewall displays to tell users how to respond to MFA challenges—Select
    Device
    Response Pages
    , select
    MFA Login Page
    ,
    Export
    the
    Predefined
    response page to your client system, and use an HTML editor to customize the page. When you finish customizing the page, save it with a unique name and
    Import
    it back onto the firewall.
  8. Configure a Security policy that allows users to access the services and applications that require authentication, and then
    Commit
    your changes.
  9. Verify that the firewall enforces MFA by logging in to your network as one of the users specified in the Authentication rule and requesting a service or application specified in the rule.
    The firewall displays the Captive Portal web form for the first authentication factor.
    After you enter your login credentials, the firewall displays an MFA login page for the next authentication factor.
    After you respond to all the authentication factors, the firewall evaluates Security policy and provides access to the service or application.
    The automated correlation engine on the firewall uses several new correlation objects to detect events on your network that could indicate credential abuse relating to MFA. To review the events, select
    Monitor
    Automated Correlation Engine
    Correlated Events
    .

Recommended For You