Configure MFA Between Duo and the Firewall

Multi-factor authentication (MFA) allows you to protect company assets by using multiple factors to verify the identity of users before allowing them to access network resources. There are multiple ways to use the Duo identity management service to authenticate with the firewall:
  • Two-factor authentication for VPN logins using the GlobalProtect Gateway and a RADIUS server profile (supported on PAN-OS 7.0 and later).
  • API-based integration using Captive Portal and an MFA server profile (does not require a Duo Authentication Proxy or SAML IdP - supported on PAN-OS 8.0 and later).
  • SAML integration for on-premise servers (supported on PAN-OS 8.0 and later).
To enable SAML MFA between the firewall and Duo to secure administrative access to the firewall:

Configure Duo for SAML MFA with Duo Access Gateway

Before you begin, verify that you have deployed the DuoAccessGateway (DAG) on an on-premise server in your DMZ zone.
Create your Duo administrator account and configure the Duo Access Gateway to authenticate your users before they can access resources.
  1. Create your Duo administrator account.
    1. On the Duo account creation page, enter your
      First Name
      ,
      Last Name
      ,
      Email Address
      ,
      Cell Phone Number
      ,
      Company / Account Name
      , and select the number of employees in the organization.
    2. Agree to the Terms and Privacy Policy and respond to the reCAPTCHA challenge to
      Create My Account
      .
      mfa_duo_create_account.png
  2. Verify your Duo administrator account.
    1. Select the authentication verification method (
      Duo Push
      ,
      Text Me
      , or
      Calling...
      ).
    2. Enter the
      Passcode
      you receive and
      Submit
      it to verify your account.
      mfa_duo_verify_account.png
  3. Configure your Duo service for SAML.
    After creating your configuration, download the configuration file at the top of the page.
    1. In the Duo Admin Panel, select
      Applications
      Protect an Application
      .
    2. Enter
      Palo Alto Networks
      to search the applications.
    3. Locate
      SAML - Palo Alto Networks
      in the list of results, then
      Protect this Application
      .
      mfa_duo_protect_an_app.png
    4. Enter the
      Domain
      .
    5. Select
      Admin UI
      as the
      Palo Alto Networks Service
      .
    6. Configure your
      Policy
      and other
      Settings
      , and
      Save Configuration
      .
      mfa_duo_config_apps.png
    7. Download your configuration file
      .
      The link to download the file is at the top of the page.
      mfa_duo_download_config.png
  4. Upload the configuration file to the Duo Access Gateway (DAG).
    1. In the DAG admin console, select
      Applications
      .
    2. Click
      Choose File
      and select the configuration file you downloaded, then
      Upload
      it.
    3. In
      Settings
      Session Management
      , disable
      User agent binding
      , then
      Save Settings
      .
  5. In the DAG admin console, configure your Active Directory or OpenLDAP server as the authentication source and download the metadata file.
    1. Log in to the DAG admin console.
    2. In
      Authentication Source
      Set Active Source
      , select your
      Source type
      (Active Directory or OpenLDAP) and
      Set Active Source
      .
    3. In
      Configure Sources
      , enter the
      Attributes
      .
      • For Active Directory, enter
        mail,sAMAccountName,userPrincipalName,objectGUID
        .
      • For OpenLDAP, enter
        mail,uid
        .
      • For any custom attributes, append them to the end of the list and separate each attribute with a comma. Do not delete any existing attributes.
    4. Save Settings
      to save the configuration.
    5. Select
      Applications
      Metadata
      , then click
      Download XML metadata
      to download the XML metadata you will need to import into the firewall.
      The file will be named dag.xml. Because this file includes sensitive information to authenticate your Duo account with the firewall, make sure to keep the file in a secure location to avoid the risk of compromising this information.

Configure the Firewall to Integrate with Duo

  1. Import the Duo metadata.
    1. Log on to the firewall web interface.
    2. On the firewall, select
      Device
      Server Profiles
      SAML Identity Provider
      Import
      .
    3. Enter the
      Profile Name
      .
    4. Browse
      to the
      Identity Provider Metadata
      file (
      dag.xml
      ).
    5. Disable
      Validate Identity Provider Certificate
      , then click
      OK
      .
    mfa_duo_saml_idp_server_profile_import.png
  2. Add an authentication profile.
    The authentication profile allows Duo as the identity provider that validates administrator login credentials.
    1. Add
      an
      Authentication Profile
      .
    2. Enter the profile
      Name
      .
    3. Select
      SAML
      as the authentication
      Type
      .
    4. Select
      Duo Access Gateway Profile
      as the
      IdP Server Profile
      .
    5. Select the certificate you want to use for SAML communication with the Duo Access Gateway for the
      Certificate for Signing Requests
      .
    6. Enter
      user.username
      as the
      Username Attribute
      .
      mfa_duo_auth_profile.png
    7. Select
      Advanced
      to
      Add
      an allow list.
    8. Select
      all
      , then click
      OK
      .
    9. Commit
      the changes.
    mfa_duo_auth_profile_advanced.png
  3. Specify the authentication settings that the firewall uses for SAML authentication with Duo.
    1. Select
      Device
      Setup
      Management
      and edit the
      Authentication Settings
      .
    2. Select
      Duo Access Gateway
      as the
      Authentication Profile
      , then click
      OK
      .
      mfa_duo_auth_settings.png
    3. Commit
      your changes.
  4. Add accounts for administrators who will authenticate to the firewall using Duo.
    1. Select
      Device
      Administrators
      and
      Add
      an account.
    2. Enter a user
      Name
      .
    3. Select
      Duo Access Gateway
      as the
      Authentication Profile
      .
    4. Select the
      Administrator Type
      , then click
      OK
      .
      Select
      Role Based
      if you want to use a custom role for the user. Otherwise, select
      Dynamic
      . To require administrators to log in using SSO with Duo, assign the authentication profile to all current administrators.
      mfa_duo_admin_settings.png

Verify MFA with Duo

  1. Log in to the web interface on the firewall.
  2. Select
    Use Single Sign-On
    and
    Continue
    .
  3. Enter your login credentials on the Duo Access Gateway login page.
  4. Select an authentication method (push notification, phone call, or passcode entry).
    When you authenticate successfully, you will be redirected to the firewall web interface.

Related Documentation