HID Palo Alto Networks and ActivID AS User Manual

hidglobal.com

ActivID Appl iance

and Palo Alto Networks (GlobalProtect)

RADIUS Channel Integration Handbook

Document Version 1.3 | Released | April 2014

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

Table of Contents

Table of Contents ....................................................................................................................................................... 2

1.0 Introduction ....................................................................................................................................................... 3

1.1 Scope of Document .................................................................................................................................... 3

1.2 Prerequisites .............................................................................................................................................. 3

2.0 GlobalProtect Configuration .............................................................................................................................. 4

2.1 Configuring User Authentication ................................................................................................................ 5

2.2 Authentication Prof ile ................................................................................................................................. 6

2.3 Configuring the SSL VPN G lobal Prot ect ................................................................................................... 7

2.3.1 Configuring the security zone ............................................................................................................ 7

2.3.2 Configuring the tunnel interface ........................................................................................................ 8

2.3.1 Configuring the SSL Certificate ......................................................................................................... 9

2.3.1 Configuring the portal ...................................................................................................................... 11

2.3.2 Configuring the gateway.................................................................................................................. 14

3.0 ActivID Appliance Configuration: Sequence of Procedures ........................................................................... 14

3.1 Configure RADIUS Channel ..................................................................................................................... 17

3.2 Managing User Repositories: An Overview ............................................................................................. 21

3.2.1 Create User Repository ................................................................................................................... 21

3.3 Configure Administration Groups, User Types, User Repositories, and Authentication Policies ............ 23

3.4 (optionally for OOB Authentication) Create OOB Delivery Gateway ....................................................... 24

3.5 (optionally for OOB Authentication) Assign An Out-of-Band Delivery Gateway ...................................... 25

3.6 (optionally for OOB Authentication) Assign An Out-of-Band Delivery Credential to An Existing

Authentication Polic y .......................................................................................................................................... 26

3.7 (Optionally for OOB authen ticati on) Ass ign An SMS T oken .................................................................... 26

4.0 Sample Authentication .................................................................................................................................... 29

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

1.0 Introduction

Palo Alto Networks GlobalProtect provides security for host systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. With GlobalProtect, users are protected against threats even when they are not on the enterprise network, and application and content usage is controlled on the host system to prevent leakage of data, and other types of security breaches. This document covers the configuration of GlobalProtect with ActivID Appliance for remote access VPN with HID Global solutions.

The HID Global ActivID solutions that work with Palo Alto Networks incorporate VPN solutions that are versatile, with strong authentication that is flexible, scalable, and simple to manage. HID Global Identity Assurance offers two solutions:

• ActivID workforce remotely accessing systems and data.

• ActivID audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

AAA Server for Remote Access addresses the security risks associated with a mobile

Appliance offers support for multiple authentication methods that are useful for diverse

1.1 Scope of Docu ment

This document expla ins ho w to s et up ActivID Appliance authentication with Palo Alto Networks GlobalProtec t via a RADIUS channel. Use this handbook to enable authentication via a hard/soft token or an OTP received by Email/SMS for use with an SSL-protected Palo Alto Networks VPN.

1.2 Prerequisites

• ActivID Appliance 7.2 SP1 and later

• Palo Alto Networks PAN OS 6.0 and later

• GlobalProtect is already installed

• For OOB authentication (Optional): There is an existing Short Message Peer-to-Peer Protocol /

Simple Mail Transfer Protocol (SMPP/SMTP) gateway to send one-time-password OOB codes to users.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

2.0 GlobalProtect Configuration

1. Launch a supported web browser and enter the URL of the PAN management interface

https://ip_mgt_address

2. The browser automatically opens the Palo Alto Networks login page.

3. Enter admin in both the Name and Password fields, and click Login.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

2.1 Configuring User Authentication

Identify the authentication method that will be used to authenticate GlobalProtect users. Palo Alto Networks nextgeneration firewalls support local database, LDAP, RADIUS or Kerberos authentication servers for authenticating users.

In this case we will use the ActivID AAA (Radius Server) for authenticating users.

1. Navigate to Device > Serv e r Prof il e s > Radius.

2. Specify the ActivID AAA IP address, port and the shared secret.

3. Click OK.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

2.2 Authenticatio n Profile

The authentication profile refers to the authentication method configured in the previous step. The authentication profile is then used to associate the authentication method in the GlobalProtect Portal configuration.

To create an authentication profile for the radius users created above

1. Click on the Device tab

2. From the left pane, click Authentication P rofile and click Add.

3. Enter a Name for the profile.

4. Choose the authentication method as RADIUS.

5. Select the HID server created previously (e.g., HID_IDP).

6. Click OK.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

2.3 Configuring the SSL VPN Global Protect

You must configure the SSL connection and related attributes in order utilize the GlobalProtect functionality:

• Portal - Palo Alto Networks firewall that provides centralized management for the GlobalProtect system.

• Gateways - Palo Alto Networks firewalls that provide security enforcement for traffic from GlobalProtect

agents.

The following sections describe the steps for the attributes that must be configured:

2.3.1 Configuring the Security Zone

A security zone identifies one or more sources or destination interfaces on the firewall. When you define a security policy rule, you must specify the source and destination security zones of the traffic.

In our example, we have cr eated “layer 3” zone named “VPN S SL” in order to identif y traffic come from VPN SSL users.

1. To create this zone, click on the tab Network.

2. From the left pane, click Zones.

3. Click Add to add a new zone.

4. Enter a Name for the zone.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

5. Choose Layer 3 for type.

6. Select Enable User Identification.

7. Click OK.

2.3.2 Configuring the tunnel interface

Each SSL connection (l ike a tunnel) is bound to a tunnel inter face. It is necessary to assign the tunnel interface to the sam e virtual router as the incom ing (clear text) traffic. T his way, when a packet comes to the firewall, the r oute lookup function can determine the appropriate tunnel to use. The tunne l interface appears to the system as a normal interface, and the existing routing infrastructure can be applied.

In our example, the interface “tunnel.10” will be used for the VPN SSL traffic.

1. To create this tunnel interface, click on the tab Network, then on the left pane, click Interfaces, and then click on the sub-tab Tunnel.

2. Click Add to add a new tunnel.

3. Enter an ID for the tunnel (“10”).

4. Assign the security zone created previously (in our example “VPN SSL”).

5. Click OK.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

2.3.3 Configuring the SSL Certificat e

This section describes how to create the SSL certificate which is presented when the users establish the VPN SSL connection.

1. To create or import the SSL Certificate, click on the tab Network, then from the left pane click

Certificate.

2. If you have requested a certificate to a Certification Authority (e.g., VeriSign), you can import it by clicking Import.

ActivID Appliance RADIUS and Palo Alto Networks Integration | RADIUS Channel Integration Handbook

Click Generate to create a CSR for a self-signed certificate.

3. Confirm that the new certificate can be seen in the GUI.

+ 21 hidden pages