Configure MFA Between Duo and the Firewall
Multi-factor authentication (MFA) allows you to protect company assets by using multiple factors to verify the identity of users before allowing them to access network resources. There are multiple ways to use the Duo identity management service to authenticate with the firewall:
- SAML integration for on-premise servers (supported on PAN-OS 8.0 and later).
To enable SAML MFA between the firewall and Duo to secure administrative access to the firewall:
Configure Duo for SAML MFA with Duo Access Gateway
Create your Duo administrator account and configure the Duo Access Gateway to authenticate your users before they can access resources.
- Create your Duo administrator account.
- On the Duo account creation page, enter yourFirst Name,Last Name,Email Address,Cell Phone Number,Company / Account Name, and select the number of employees in the organization.
- Verify your Duo administrator account.
- Select the authentication verification method (Duo Push,Text Me, orCalling...).
- Enter thePasscodeyou receive andSubmitit to verify your account.
- Configure your Duo service for SAML.After creating your configuration, download the configuration file at the top of the page.
- In the Duo Admin Panel, select.ApplicationsProtect an Application
- EnterPalo Alto Networksto search the applications.
- LocateSAML - Palo Alto Networksin the list of results, thenProtect this Application.
- Enter theDomain.
- SelectAdmin UIas thePalo Alto Networks Service.
- Configure yourPolicyand otherSettings, andSave Configuration.
- Download your configuration file.The link to download the file is at the top of the page.
- Upload the configuration file to the Duo Access Gateway (DAG).
- In the DAG admin console, selectApplications.
- ClickChoose Fileand select the configuration file you downloaded, thenUploadit.
- In, disableSettingsSession ManagementUser agent binding, thenSave Settings.
- In the DAG admin console, configure your Active Directory or OpenLDAP server as the authentication source and download the metadata file.
- Log in to the DAG admin console.
- In, select yourAuthentication SourceSet Active SourceSource type(Active Directory or OpenLDAP) andSet Active Source.
- InConfigure Sources, enter theAttributes.
- For Active Directory, entermail,sAMAccountName,userPrincipalName,objectGUID.
- For OpenLDAP, entermail,uid.
- For any custom attributes, append them to the end of the list and separate each attribute with a comma. Do not delete any existing attributes.
- Save Settingsto save the configuration.
- Select, then clickApplicationsMetadataDownload XML metadatato download the XML metadata you will need to import into the firewall.The file will be named dag.xml. Because this file includes sensitive information to authenticate your Duo account with the firewall, make sure to keep the file in a secure location to avoid the risk of compromising this information.
Configure the Firewall to Integrate with Duo
- Import the Duo metadata.
- Log on to the firewall web interface.
- On the firewall, select.DeviceServer ProfilesSAML Identity ProviderImport
- Enter theProfile Name.
- Browseto theIdentity Provider Metadatafile (dag.xml).
- If the Duo Access Gateway provides a self-signed certificate as the signing certificate for the IdP, you cannotValidate Identity Provider Certificate. In this case, ensure that you are using PAN-OS 9.0.9 or a later 9.0 version to mitigate exposure to CVE-2020-2021.
- Add an authentication profile.The authentication profile allows Duo as the identity provider that validates administrator login credentials.
- AddanAuthentication Profile.
- Enter the profileName.
- SelectSAMLas the authenticationType.
- SelectDuo Access Gateway Profileas theIdP Server Profile.
- Select the certificate you want to use for SAML communication with the Duo Access Gateway for theCertificate for Signing Requests.
- Enteruser.usernameas theUsername Attribute.
- SelectAdvancedtoAddan allow list.
- Selectall, then clickOK.
- Committhe changes.
- Specify the authentication settings that the firewall uses for SAML authentication with Duo.
- Selectand edit theDeviceSetupManagementAuthentication Settings.
- SelectDuo Access Gatewayas theAuthentication Profile, then clickOK.
- Commityour changes.
- Add accounts for administrators who will authenticate to the firewall using Duo.
- SelectandDeviceAdministratorsAddan account.
- Enter a userName.
- SelectDuo Access Gatewayas theAuthentication Profile.
- Select theAdministrator Type, then clickOK.SelectRole Basedif you want to use a custom role for the user. Otherwise, selectDynamic. To require administrators to log in using SSO with Duo, assign the authentication profile to all current administrators.
Verify MFA with Duo
- Log in to the web interface on the firewall.
- SelectUse Single Sign-OnandContinue.
- Enter your login credentials on the Duo Access Gateway login page.
- Select an authentication method (push notification, phone call, or passcode entry).When you authenticate successfully, you will be redirected to the firewall web interface.
Recommended For You
Recommended videos not found.