product icon

Palo Alto Network VPN configuration for the LastPass Universal Proxy RADIUS protocol

    About this task:
    Note: Only Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) modes are supported by the service.

    Enable cookie generation on the GlobalProtect Portal

    1. Go to Network > GlobalProtect > Portals.
    2. Open your Portal Profile.
    3. Click the Agent tab and click Agent Config.
    4. In the Configs window, Authentication tab, check the Generate cookie for authentication override checkbox.
    5. Click OK.

    Enable cookie acceptance in the GlobalProtect Gateway

    1. Navigate to Network > GlobalProtect > Gateways.
    2. Open your Gateway Profile.
    3. Click the Agent tab.
    4. Click Client Settings tab and open Client Config.
    5. In the Configs window, Authentication Override tab, check the Accept cookie for authentication override checkbox.
    6. Click OK.

    Set the GlobalProtect connection timeout to 60 seconds on the Palo Alto server

    Increase the authentication timeout to 60 seconds.
    Note:

    As the LastPass Authenticator app push notification timeout is 60 seconds, set to 60 seconds.

    The authentication timeout is calculated as: set connection timeout - 5 seconds. The default timeout is 30 seconds, which in turn makes the default authentication timeout as 25 seconds.

    You can only change the authentication timeout settings from CLI:

    1. SSH into the Palo Alto server from the command line.
    2. Run the following command to increase the default timeout value to 60 seconds: 
      vpnadmin@paloaltovpntest> configure
Entering configuration mode
[edit]
vpnadmin@paloaltovpntest# set deviceconfig setting global-protect timeout 65
[edit]
vpnadmin@paloaltovpntest# commit
      Note: In order to set the timeout to 60 seconds, you should add timeout 65, 5 seconds more, because of the server's calculation.
    3. Run the following command, to check the previously modified settings: 
      vpnadmin@paloaltovpntest#  show deviceconfig setting global-protect

      Result:

      If set correctly, the following result appears:

      global-protect {
  timeout 65;
}

    Add a RADIUS server profile

    1. In the Palo Alto Network admin portal, go to Device > Server Profiles > RADIUS.
    2. Click Add to add a new RADIUS Server Profile.
      1. In the Profile Name field, enter a profile name.
      2. In the Server Settings group box, set the following:
        Timeout (sec)
        61
        Retries
        1
        Authentication Protocol
        PAP
    3. In the Servers group box, click Add.
      1. Enter a Name to identify the server.
      2. Enter the RADIUS Server IP address or FQDN.
      3. Enter the RADIUS Secret that must be the same secret that was set in the Universal Proxy configuration.
      4. Enter a Port number, default is 1812 for authentication.
    4. Click OK to save the server profile.

      Assign the RADIUS server profile to an authentication profile:

    5. Select Authentication Profile in the left navigation.
    6. Click Add.
    7. Enter a Name for the Authentication Profile, this will be assigned to the GlobalPortal configuration.
    8. On the Authentication tab, set the following:
      • For the Type drop-down menu, select RADIUS.
      • For the Server Profile drop-down menu, select the previously configured RADIUS profile.
    9. On the Authentication Profile window, click the Advanced tab.
    10. In the Allow List group box, Add the users and groups that are allowed to authenticate with this authentication profile.
    11. Click OK to save the authentication profile.
    Results: You have now configured RADIUS authentication for your Palo Alto VPN.
    Related Articles