VPN – Palo Alto GlobalProtect
In this topic, you will learn how to configure Palo Alto GlobalProtect to work together with Portnox™ Cloud and 802.1X RADIUS authentication for VPN connections.
Warning: This topic contains documentation prepared by our support agents more than 12 months ago. It
may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation
for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the
manufacturers update their firmware or release new models. Therefore, to get the most accurate and current configuration
guidance, we strongly recommend that you refer to the documentation provided by the manufacturer. If you need help setting
up newer equipment that does not match the description in this topic, contact us at
support@portnox.com.
- Create a RADIUS server profile by navigating to Device > Server Profiles > RADIUS and clicking Add.
-
In the RADIUS Server Profile window that appears:
- Specify a Name for the RADIUS server profile.
- In Server Settings, set Timeout (sec) to 40.
- Enter the cloud RADIUS details: the IP address, the authentication port, and the shared secret.
- Create a RADIUS authentication profile by navigating to and clicking on Add.
-
In the Authentication Profile window that appears:
- Specify a Name for the authentication profile.
- In the Authentication tab, in Type, select RADIUS.
- In Server Profile, select the RADIUS server profile you created in the previous step.
- In the Advanced tab, add All to the Allow List.
-
Add the new RADIUS authentication profile to the GlobalProtect gateway, as follows:
- Navigate to .
- Select the relevant gateway, that is, the gateway that will be communicating with Portnox Cloud.
- In the Authentication tab, select Add.
- Specify the RADIUS authentication profile you created in the previous steps.
-
Add the new RADIUS authentication profile to the GlobalProtect portal, as follows:
- Navigate to .
- Select the relevant portal, that is, the portal that will be communicating with Portnox Cloud.
- In the Authentication tab, select Add.
- Specify the RADIUS authentication profile you created in the previous steps.
-
Update the Portal connection timeout, as follows:
- Navigate to .
- Select the relevant portal, that is, the portal that will be communicating with Portnox Cloud.
- In the Agent tab, select the VPN gateway.
- Select the App tab.
- Set the Portal Connection Timeout to 60 seconds.
-
Add additional information to RADIUS attributes by logging in to the Palo Alto CLI and running the following
commands:
set authentication radius-vsa-on client-source-ipset authentication radius-vsa-on client-osuset authentication radius-vsa-on client-hostnameset authentication radius-vsa-on user-domainset authentication radius-vsa-on client-gp-versionNote: These commands may be removed after a device reboot, in which case they will need to be run again.
Set the authentication override
If you do these steps, users will not be required to log in to both the portal and the gateway in succession, nor enter multiple OTPs for authenticating to each.
-
Set the authentication override settings for the gateway, as follows:
- Navigate to .
- Select the relevant gateway, that is, the gateway that will be communicating with Portnox Cloud.
- In the Agent tab, select Client Settings.
- Select the relevant configuration, and in the Authentication Override tab, select: Generate cookie for authentication override and Accept cookie for authentication override.
-
Set the authentication override settings for the portal, as follows:
- Navigate to .
- Select the relevant portal, that is, the portal that will be communicating with Portnox Cloud.
- In the Agent tab, select the relevant configuration.
- In the Authentication tab, select: Generate cookie for authentication override and Accept cookie for authentication override.