VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hi, I am Matt from Duo Protection.
In this online video, I am goingto show you how to guard your Palo Alto GlobalProtect VPN gateway with Duo two-component authentication.
This application utilizes RADIUS as well as the Duo Authentication Proxy.
Prior to watching this movie, make sure you read the documentationfor this configuration at duo.
com/docs/paloalto.
Be aware that Besides thisRADIUS-centered configuration, You can even safeguard PaloAlto SSO logins with Duo.
Read about the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Right before creating this Duointegration with Palo Alto, you must have a Doing the job primaryauthentication configuration in your SSL VPN end users, which include LDAP authenticationto Energetic Listing.
To combine Duo with all your Palo Alto VPN, you need to installa nearby proxy services with a device within just your community.
In advance of proceeding, you shouldlocate or put in place system on which you will installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux systems.
On this video, We are going to use aWindows Server 2016 program.
Note that this Duo proxy server also acts to be a RADIUS server.
There is not any ought to deploya individual RADIUS server to work with Duo.
The Palo Alto product in thisvideo is running PAN-OS 8.
0.
six.
The Guidance for installingDuo defense via RADIUS on units runningolder versions of PAN-OS differs a little from whatis shown in this video clip.
Reference the documentationfor more info.
On the system you will put in the Duo Authentication Proxy on, log in for the Duo Admin Panel.
During the left sidebar, navigate to Applications.
Click on Defend an Application.
Inside the lookup bar, variety palo alto.
Close to the entry for Palo Alto SSL VPN, click Defend this Software.
Observe your integration key, solution essential, and API hostname.
You'll need these afterwards for the duration of setup.
Close to the major with the site, simply click the website link to open the Duodocumentation for Palo Alto.
Subsequent, install the DuoAuthentication Proxy.
Within this video, We're going to use a sixty four-bit Home windows Server 2016 process.
We propose a systemwith no less than a single CPU, 200 megabytes of disk Room, and 4 gigabytes of RAM.
Around the documentation page, navigate for the Set up the DuoAuthentication Proxy section.
Click the url to downloadthe newest Variation in the proxy for Windows.
Launch the installer around the server as being a consumer with administrator legal rights and Keep to the on-display promptsto total installation.
After the installation completes, configure and begin the proxy.
For that purposes of the video, we think that you've got some familiarity with the elements that make upthe proxy configuration file and how to format them.
Comprehensive descriptionsof Every single of those factors are available in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is located in the conf subdirectoryof the proxy set up.
Operate a text editor likeWordPad being an administrator and open up the configuration file.
By default, the file is found in C:Plan Information (x86) Duo Security Authentication Proxyconf Considering the fact that this can be a completelynew installation with the proxy, there will be illustration contentin the configuration file.
Delete this content material.
1st, configure the proxy foryour Key authenticator.
For this example, we willuse Energetic Directory.
Insert an [ad_client] segment to the best in the configuration file.
Add the host parameterand enter the host identify or IP address of your respective area controller.
Then incorporate theservice_account_username parameter and enter the username ofa area member account that has permission to bind toyour Advert and conduct lookups.
Next, increase theservice_account_password parameter and enter the password that corresponds on the username entered previously mentioned.
Last but not least, insert the search_dn parameter and enter the LDAP distinguishedname of the Advert container or organizational device that contains all of the usersyou want to permit to log in.
Additional optionalvariables for this part are explained while in the documentation.
Future, configure the proxy for your Palo Alto GlobalProtect gateway.
Produce a [radius_server_auto] section below the [ad_client] part.
Insert the integration critical, magic formula essential, and API hostname from the Palo Altoapplication's Attributes webpage inside the Duo Admin Panel.
Add the radius_ip_1 parameterand enter the IP address of the Palo Alto GlobalProtect VPN.
Down below that, insert Helpful site theradius_secret_1 parameter and enter a secret to get shared concerning the proxy along with your VPN.
Increase the consumer parameterand enter ad_client.
Palo Alto won't sendthe customer IP handle using the conventional RADIUSattribute Contacting-Station-ID.
A completely new RADIUS attributecontaining the customer IP deal with PaloAlto-Customer-Supply-IP was released in PAN-OS Variation 7.
To mail the PaloAlto-Consumer-Resource-IPattribute to Duo, incorporate the client_ip_attrparameter and enter paloalto.
Additional optional variables for this [radius_server_auto] segment are explained during the documentation.
Help save your configuration file.
Open an administratorcommand prompt and run Internet start out DuoAuthProxy tostart the proxy company.
Up coming, configure your PaloAlto GlobalProtect gateway.
Initial, we will insert the Duo RADIUS server.
Log in towards the Palo Altoadministrative interface.
Click on the Machine tab.
Within the left sidebar, navigateto Server Profiles, RADIUS.
Click on the Include button to adda new RADIUS server profile.
From the identify area, enter Duo RADIUS.
Increase the timeout to not less than thirty.
We advise employing sixty When you are making use of thrust or telephone authentication, so We are going to use sixty in this instance.
From the dropdown for authenticationprotocol, find PAP.
While in the Servers segment, click on Add.
During the Name field, enter Duo RADIUS.
Inside the RADIUS Serverfield, enter the hostname or IP tackle of yourDuo Authentication Proxy.
In The key area, enterthe RADIUS shared secret Utilized in the authenticationproxy configuration.
Leave or established the port to 1812, as that is the default used by the proxy.
Should you applied another port through your Authentication Proxy set up, be sure you use that in this article.
Simply click OK to save lots of the newRADIUS server profile.
Now incorporate an authentication profile.
During the left sidebar.
Navigateto Authentication Profile.
Click on the Add button.
In the Name discipline, enter Duo.
In the Type dropdown, find RADIUS.
While in the Server Profiledropdown, find Duo RADIUS.
Based upon how your userslog in to GlobalProtect, you might have to enter yourauthentication domain name during the Consumer Area area.
This really is used at the side of the Username Modifier area.
When the Username Modifieris remaining blank or is ready to %USERINPUT%, then theuser's input is unmodified.
You could prepend or appendthe worth of %USERDOMAIN% to preconfigure the username input.
Learn more about both of those of these things while in the GlobalProtect documentation hosted on Palo Alto's Internet site, which can be linked in the Duo documentation.
Simply click the Sophisticated tab and click on Incorporate.
Pick the All team.
Click on Alright to save theauthentication profile.
Up coming, configure yourGlobalProtect gateway options.
From the Palo Alto administrative interface, click on the Network tab.
From the still left sidebar, navigateto GlobalProtect, Gateways.
Pick your configuredGlobalProtect gateway.
Simply click the Authentication tab.
During the entry for yourClient Authentication in the Authentication Profile dropdown, pick the Duo authenticationprofile you produced earlier.
If You aren't usingauthentication override cookies with your GlobalProtect gateway, you may want to allow them to attenuate Duo authentication requests at customer reconnectionduring 1 gateway session.
You may need a certificateto use Together with the cookie.
Click the Agent tab.
Click the Shopper Configurations tab.
Click the title of yourconfiguration to open up it.
Within the Authentication Override tab, Test the packing containers togenerate and settle for cookies for authentication override.
Enter a Cookie Life span.
In this example, We're going to use 8 hours.
Choose a certificateto use While using the cookie.
Click Okay after which click Alright yet again to save your gateway settings.
Now configure your portal settings.
Should the GlobalProtect portal is configured for Duo two-element authentication, end users might have to authenticate 2 times when connecting to theGlobalProtect gateway agent.
For the most effective person experience, Duo suggests leavingyour GlobalProtect portal set to implement LDAP orKerberos authentication.
If you are doing increase Duo to yourGlobalProtect portal, we also advise which you allow cookies for authentication override with your portal to prevent several Duoprompts for authentication when connecting.
Within the Palo Alto administrative interface, through the Community tab, navigateto GlobalProtect, Portal.
Click your configured profile.
Simply click the Authentication tab.
From the entry for yourclient authentication, within the Authentication Profile dropdown, pick the Duo authentication profile you configured earlier.
Click the Agent tab.
Click on the entry for your configuration.
Over the Authentication tab, inside the Authentication Override area, Check out the boxes togenerate and accept cookies for authentication override.
Enter a Cookie Life span.
In this example, We'll use eight several hours.
Decide on a certificateto use with the cookie.
Click on Alright and after that click Alright yet again to save your gateway options.
For making your variations just take result, click on the Dedicate buttonin the higher-appropriate corner of the Palo Alto administrative interface.
Critique your changesand click on Dedicate again.
Now complete configuringyour Palo Alto system to deliver the customer IP to Duo.
Connect with the Palo Altodevice administration shell.
Using the command fromstep one of several client IP reporting section of your Duofor Palo Alto documentation, empower sending the PaloAlto client resource IP client IP attribute.
Immediately after setting up and configuring Duo for your Palo Alto GlobalProtectVPN, check your set up.
Using a username thathas been enrolled in Duo and which includes activatedthe Duo Mobile application on a smartphone, attemptto connect to your VPN using your GlobalProtect gateway agent.
You'll obtain an automaticpush about the Duo Mobile application in your smartphone.
Open up the notification, checkthe contextual information to verify the login is reputable, approve it, and you are logged in.
Notice which you could alsoappend a kind component to the end of yourpassword when logging in to work with a passcode or manually select a two-factorauthentication system.
Reference the documentationfor more details.
You might have productively build Duo on your Palo Alto GlobalProtect gateway.