MFA for Palo Alto VPN

Palo Alto VPN MFA

VPNs are essential for enabling remote work, allowing employees to securely access corporate resources from outside the organization's network. Palo Alto Networks is a leading provider of cybersecurity solutions, including advanced VPN services that enable secure remote access. Palo Alto’s GlobalProtect VPN is widely used by organizations to safeguard their internal networks. However, relying solely on username and password authentication poses significant security risks. Passwords can be easily compromised through phishing attacks, brute force attacks, or simply by being weak or reused across multiple platforms. To mitigate these risks, implementing MFA has become a best practice for securing VPN logins.

MFA significantly reduces the likelihood of unauthorized access by requiring multiple forms of verification. Even if an attacker manages to obtain a user’s password, they would still need the additional factor(s) to successfully log in. ADSelfService Plus offers an advanced MFA feature that integrates seamlessly with the VPN infrastructure. It ensures compliance with industry standards like NIST SP 800-63B, the GDPR, HIPAA, and PCI DSS by providing strong MFA measures and flexible authentication options, enabling organizations to choose the method that best fits their needs.

Advanced authenticators for Palo Alto VPN

ADSelfService Plus supports multiple authentication methods to secure Palo Alto VPN MFA, including:

Enabling MFA for Palo Alto VPN with ADSelfService Plus

ADSelfService Plus integrates with Palo Alto VPN to provide robust MFA capabilities. Admins can configure specific MFA policies for Palo Alto VPN users based on user roles, departments, domains, organizational units, and groups under particular conditions. Admins have the flexibility to select which authenticators users must use for MFA. This integration not only enhances security but also ensures compliance with regulatory requirements.

Here is how you can enable MFA for Palo Alto VPN logins:

Prerequisites:

• Ensure you have a Professional Edition license of ADSelfService Plus with Endpoint MFA enabled.
• Enable HTTPS in ADSelfService Plus by navigating to Admin > Product Settings > Connection.
  Note: If you are using an untrusted certificate in ADSelfService Plus for HTTPS, disable the Restrict User Access when there is an Invalid SSL Certificate option under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Customization > Advanced.
• In ADSelfService Plus, the access URL configured under Admin > Product Settings > Connection > Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Ensure the access URL is updated before installing the NPS extension.
• In AD, set the users’ Network Access Permission to Control access through NPS Network Policy in their Dial-in properties.
• Configure your Palo Alto VPN gateway to use RADIUS authentication.
• The RADIUS server must be a Windows Server (Windows Server 2008 R2 or later) with the NPS role enabled.
• On the Windows NPS server, set the authentication settings of the Connection Request Policy to Authenticate requests on this sever.

Configure ADSelfService Plus for MFA:

Step 1: Enable the required authenticators

1. Log in to ADSelfService Plus as an admin.
2. Go to Configuration > Self-Service > Multi-Factor Authentication > Authenticators Setup.
3. Enable the required authenticators for the Palo Alto VPN login.
4. Click Save.

Step 2: Enable MFA for VPN logins in ADSelfService Plus

1. Go to the MFA for Endpoints tab.
2. From the Choose the Policy drop-down menu, select a policy which will determine the users for whom MFA for VPN login will be enabled. Click here to learn more about creating an OU- or a group-based policy.
3. In the MFA for VPN Login section, check the box and specify the number of authentication factor(s) for VPN logins from the drop-down menu. Choose the authenticators for VPN login MFA from the drop-down menu.
4. Click Save Settings.

Step 3: Install the NPS extension

Install the NPS extension and restart the NPS Window service.

The setup is complete. Users will be prompted for MFA when they login to Palo Alto VPN to verify their identities using the chosen authentication methods.

Benefits of using ADSelfService Plus' VPN MFA

• Flexible authentication methods: Choose from a wide range of authentication methods supported by ADSelfService Plus, including OTPs, biometrics, or hardware tokens, tailored to their security needs and preferences.
• Support for conditional access policies: Implement conditional access policies that allow for a more nuanced and adaptive security approach. These conditions include IP address, geolocation, device type, and time of access. Tailor the level of MFA based on the risk of an access attempt by analyzing factors such as user behavior, location, and device used.
• Comprehensive reporting: Gain deep visibility into MFA activity with robust reporting and auditing features. Administrators can generate reports to track the time of the MFA attempt, the device type used, the IP address, and the specific authenticator used. This enables organizations to identify swiftly and respond to potential security incidents.
• Enhanced user experience: Integrating ADSelfService Plus' MFA with Palo Alto VPN offers a smooth, user-friendly authentication process, ensuring secure and hassle-free access to network resources from any location.

Supported VPN providers and non-VPN RADIUS endpoints:

ADSelfService Plus' VPN MFA capability is built on the standard RADIUS protocol, ensuring compatibility with a wide range of RADIUS-based VPN providers. Beyond VPNs, ADSelfService Plus extends its MFA capabilities to non-VPN RADIUS endpoints. The following are VPN providers and non-VPN RADIUS endpoints that ADSelfService Plus supports: