How it Works
HID
Loading...
Palo Alto Networks and ActivID AAA
User Manual
26 pgs1.07 Mb0

HID Palo Alto Networks and ActivID AAA User Manual

h i d g l o b a l . c o m
HID Global ActivID® AAA
and Palo Alto Networks GlobalProtect
Document Version 1.1 | Released | April 2014
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 2
Table of Contents
Table of Contents ....................................................................................................................................................... 2
1.0 Introduction ....................................................................................................................................................... 3
1.1 Scope of Document .................................................................................................................................... 3
1.2 Prerequisites .............................................................................................................................................. 3
2.0 GlobalProtect Configuration .............................................................................................................................. 4
2.1 Configuring User Authentication ................................................................................................................ 5
2.2 Authentication Profile ................................................................................................................................. 6
2.3 Configuring the SSL VPN Global Protect ................................................................................................... 7
2.3.1 Configuring the security zone ............................................................................................................ 7
2.3.2 Configuring the tunnel interface ........................................................................................................ 8
2.3.1 Configuring the SSL Certificate ....................................................................................................... 10
2.3.2 Configuring the portal ...................................................................................................................... 12
2.3.3 Configuring the gateway.................................................................................................................. 15
3.0 AAA Configuration: Sequence of Procedures ................................................................................................ 18
3.1 Procedure 1: Configure the PALO ALTO NETWORKS Gate .................................................................. 18
3.2 Procedure 2: Assign Group(s) to the PALO ALTO NETWORKS Gate .................................................... 19
3.3 Procedure 3 (optional): Create An Out-of-Band Delivery Gateway ......................................................... 21
3.4 Procedure 4 (optional): Assign An SMS Token ....................................................................................... 23
4.0 Sample Authentication .................................................................................................................................... 24
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 3
1.0 Introduction
Palo Alto Networks GlobalProtect provides security for host systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. With GlobalProtect, users are protected against threats even when they are not on the enterprise network, and application and content usage is controlled on the host system to prevent leakage of data, etc. This document covers the configuration of GlobalProtect with ActivID AAA for remote access VPN with HID Global solutions.
The HID Global Identity Assurance solutions that work with Palo Alto Networks incorporate VPN solutions that are versatile, with strong authentication that is flexible, scalable, and simple to manage. HID Global Identity Assurance offers two solutions:
ActivID® AAA Server for Remote Access addresses the security risks associated with a mobile
workforce remotely accessing systems and data.
ActivID® Appliance offers support for multiple authentication methods that are useful for diverse
audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Document
This document describes how to set up ActivID AAA authentication with Palo Alto Networks GlobalProtect to enable authentication via a hard/soft token or an OTP received by Email/SMS using an SSL-protected Palo Alto Networks VPN.
1.2 Prerequisites
ActivID AAA Server is up-to-date (version 6.7) with LDAP users and groups already configured.  For OOB authentication (optional):
There is an existing Short Message Peer-to-Peer Protocol (SMPP) gateway to send one-
time-password OOB codes to users.
User phone numbers are declared in a functioning LDAP server.  Palo Alto Networks PAN OS 6.0 and later  GlobalProtect is already installed
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 4
2.0 GlobalProtect Configuration
1. Launch a supported web browser and enter the URL of the PAN management interface
https://ip_mgt_address
2. The browser automatically opens the Palo Alto Networks login page.
3. Enter admin in both the Name and Password fields, and click Login.
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 5
2.1 Configuring User Authentication
Identify the authentication method that will be used to authenticate GlobalProtect users. Palo Alto Networks next­generation firewalls support local database, LDAP, RADIUS or Kerberos authentication servers for authenticating users.
In this case we will use the ActivID AAA (Radius Server) for authenticating users.
1. Navigate to Device > Server Profiles > Radius.
2. Specify the ActivID AAA IP address, port and the shared secret.
3. Click OK.
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 6
2.2 Authentication Profile
The authentication profile refers to the authentication method configured in the previous step. The authentication profile is then used to associate the authentication method in the GlobalProtect Portal configuration.
To create an authentication profile for the radius users created above:
1. Click on the Device tab
2. From the left pane, click Authentication Profile and click Add.
3. Enter a Name for the profile.
4. Choose the authentication method as RADIUS.
5. Select the HID server created previously (e.g., HID_IDP).
6. Click OK.
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 7
Important: When you specify a specific group, you must use a specific RADIUS dictionary on the AAA Server and also create an authorization profile. For more information on this topic, refer to the guide named 4TRESS_AAA_AdminGuide.pdf, specifically the section called Create a New RADIUS Authorization Profile. Also refer to the following vendor-specific requirements:
https://live.paloaltonetworks.com/docs/DOC-3189.
7. If only certain users groups are authorized, in the “allow list”, specify the groups authorized and remove “all” which is set by default.
2.3 Configuring the SSL VPN Global Protect
You must configure the SSL connection and related attributes in order utilize the GlobalProtect functionality:
Portal - Palo Alto Networks firewall that provides centralized management for the GlobalProtect system.  Gateways - Palo Alto Networks firewalls that provide security enforcement for traffic from GlobalProtect
agents.
The following sections describe the steps for the attributes that must be configured:
2.3.1 Configuring the Security zone
A security zone identifies one or more sources or destination interfaces on the firewall. When you define a security policy rule, you must specify the source and destination security zones of the traffic.
In our example, we have created “layer 3” zone named “VPN SSL” in order to identify traffic come from
VPN SSL users.
1. To create this zone, click on the tab Network
2. From the left pane, click Zones.
HID Global and Palo Alto Networks Integration | Integration Handbook
External Release | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
Page | 8
3. Click Add to add a new zone.
4. Enter a Name for the zone.
5. Choose Layer 3 for type.
6. Select Enable User Identification.
7. Click OK.
2.3.2 Configuring the tunnel interface
Each SSL connection (like a tunnel) is bound to a tunnel interface. It is necessary to assign the tunnel interface to the same virtual router as the incoming (clear text) traffic. This way, when a packet comes to the firewall, the route lookup function can determine the appropriate tunnel to use. The tunnel interface appears to the system as a normal interface, and the existing routing infrastructure can be applied.
In our example, the interface “tunnel.10” will be used for the VPN SSL traffic.
Loading...
+ 18 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use