Integration Guide for Palo Alto Networks GlobalProtect VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your Palo Alto GlobalProtect device.

Configuring GreenRADIUS for Palo Alto GlobalProtect

In the GreenRADIUS web admin interface, add the Palo Alto GlobalProtect as a RADIUS client.

  1. Click the Domain tab
  2. Click the domain name where you want to add the Palo Alto GlobalProtect as a RADIUS client
  3. Click the RADIUS Clients tab
  4. Enter the IP address of the Palo Alto GlobalProtect. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring Palo Alto GlobalProtect

Add GreenRADIUS as a RADIUS Server

  1. Log in to the Palo Alto GlobalProtect admin interface
  2. On the Device tab, navigate to Server Profiles, then RADIUS. Click Add.
  3. In the Name field, enter "GreenRADIUS"
  4. Set the timeout value to 10 seconds (or 45 seconds if using our Green Rocket 2FA Mobile App)
  5. Configure the "Authentication Protocol" drop-down to "PAP". Note: PAN-OS 7.X users must set the protocol via command line using this command: set authentication radius-auth-type pap
  6. In the Servers section, click Add. Then enter the following:
  • Server: GreenRADIUS
  • RADIUS Server: [IP address or hostname of GreenRADIUS]
  • Secret: [enter the same RADIUS secret as configured in GreenRADIUS for the Palo Alto GlobalProtect]
  • Port: 1812
  1. Click OK

RADIUS Server Profile

Add an Authentication Profile

  1. On the Device tab, navigate to Authentication Profile
  2. Click the New... button. Then enter the following:
  • Name: GreenRADIUS
  • Type: RADIUS
  • Server Profile: GreenRADIUS
  • User Domain: Optional, leave blank if you only have one domain configured in GreenRADIUS
  • Username Modified: Optional, leave blank if you only have one domain configured in GreenRADIUS
  1. Click the Advanced tab. In the "Allow List" section, select the "all" group.
  2. Click OK

Authentication Profile

Configure Palo Alto GlobalProtect

  1. On the Network tab, navigate to GlobalProtect, then Gateways
  2. Click on the GlobalProtect Gateway to display the properties window
  3. On the Authentication tab, select the GreenRADIUS authentication profile

Authentication Profile

  1. Click the Agent tab, then click the Client Settings tab. Click the name of your configuration.
  2. On the Authentication Override tab, check the checkboxes for both Generate cookie for authentication override and Accept cookie for authentication override. Set the Cookie Lifetime as desired. Select a certificate to use with the cookie.

Authentication Override

  1. Click OK twice

Configure the GlobalProtect Portal

  1. On the Network tab, navigate to GlobalProtect, then Portal
  2. Click on your GlobalProtect Portal to display the properties window
  3. On the Authentication tab, select the GreenRADIUS authentication profile

Authentication Profile

  1. Click the Agent tab, then click the name of your configuration.
  2. On the Authentication tab, check the checkboxes for both Generate cookie for authentication override and Accept cookie for authentication override. Set the Cookie Lifetime as desired. Select a certificate to use with the cookie.

Authentication Override

  1. Click OK twice

Commit and Save the Settings

  1. Click the Commit button to make the changes take effect

You may now start testing Palo Alto GlobalProtect logins. Check the Authentication Requests report in GreenRADIUS (under the Reports tab) to make sure Palo Alto GlobalProtect logins are being validated by GreenRADIUS.

Web Analytics Made Easy -
StatCounter

Updated 2021-09-28
© 2021 Green Rocket Security Inc. All rights reserved.