How to integrate ldap on privacyidea with MFA Palo Alto?

hello,

im new with privacyidea, i trying using privacyidea as MFA auth for palo alto VPN and when to access the palo alto management Web UI. when i use passwdresolver, the palo alto management and the VPN can ask a token that sent to my email. But when i using ldapresolver the palo alto VPN and the management Web UI didn’t ask the token and the token didn’t send to my email by my smtp server.

please help me, is there any configuration did i miss in this settings?
kindly thanks

1 Like

Probably. If you want someone to help you, you need to provide more input. E.g. your configuration and what you have done and configured in your RADIUS client (aka Palo Alto)

Hi Cornelinux,

thanks for your advice, in my palo alto i already configure in Server Profile for our RADIUS client and also in palo alto i configure the Authentication Profile and Authentication Sequence for RADIUS. Even when im using ldap as a resolver in PrivacyIdea i still need to configure my RADIUS in Palo Alto right?

Thanks

Yes, you are right. The PALO Alto has to be configured to use privacyIDEA as the RADIUS server. Palo Alto is the RADIUS client.

On the privacyIDEA Machine/FreeRADIUS you need to configure clients.conf to accept RADIUS requests from Palo Alto.

This is an old, but very good book, which helps a lot with understanding how RADIUS and explicitly FreeRADIUS works.

https://www.amazon.de/FreeRADIUS-Beginners-Guide-English-Dirk/dp/1849514089/

Hi Cornelinux,

Im Sorry for the late response, because lately lot of problems besides this MFA.
About the PrivacyIdea Machine/ FreeRADIUS i already configure the client.conf to accept RADIUS request from Palo Alto just like this video:

but i also already configure the LDAP AD to my PrivacyIdea and the PrivacyIdea already detect every user in my AD to be display in PrivacyIdea.
and i want when user use the VPN that using LDAP AD before they login, they have to input the OTP that send to their email. But right now we can send the email from PrivacyIdea but the OTP still not sent to the user when they tryng to connect to VPN Palo Alto GP.

I really hope we can discuss more with online meeting so i can describe more detail what i already configure.

thanks Cornelinux

Hi!

Had the same issue 4 months ago.
We also switched to Palo Alto and didn’t want to use M$ Authenticator.

This is how I solved it for now:

  • FreeRADIUS installed
  • Connected Palo Alto to the FreeRADIUS server
  • Created a VPN group in Active Directory
  • Created a policy in PrivacyIdea, which requires the presence of at least one stored token and points to the VPN group.
  • Created another policy that disallows the source IP of the Radius server and allows login without a token, so that new users can create a token for themselves.

So far this works fine with the Palo.

The only problem I ran into:
Users are only allowed to be included once in PrivacyIdea via the connected AD groups.
If a user is included in two groups, PrivacyIdea gets confused and the VPN login fails.
So you have to think a bit when creating the groups.

Do not use resolvers to find a users several times!
This will result in different logical user within privacyIDEA!

Read
https://privacyidea.readthedocs.io/en/latest/configuration/realms.html

Alternatively you should map the user attributes like “memberOf” in only ONE resolver.
Read
https://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html#resolver-settings

Then you can map the user attributes to RADIUS AVPs.
Read
https://privacyidea.readthedocs.io/en/latest/application_plugins/rlm_perl.html#mapping-privacyidea-return-values-to-radius-attribute-value-pairs