PaloAlto Radius MFA

We would like to use PrivacyIDEA as authentication provider for PaloAlto Globalprotect VPN.
We installed PI on Ubuntu 18.04, created an admin user and via the WebGUI connected to our AD server (SAMBA based). This all went fine, we can read out AD users.

Finally we installed the Freeradius plugin (apt-get install privacyidea-radius), but here we are stuck… How to configure this ?

We would like to start testing with PaloAlto.

1 Like

Start with editing clients.conf file.

And maybe reading RADIUS-related discussion here if not too busy…

1 Like

When you install privacyidea-radius the freeradius server is also installed with a default configuration with the local privacyIDEA server.

As @henry pointed out, go and edit the clients.conf according and use the same secret in your PaloAlto. In a basic setup there is nothing more to do.

I see i can add the Radius server in the PI web GUI, should this be done ?
Which is the user and password ? I have set a secret in clients.conf

No.
In this case you do not configure any RADIUS in the WebUI.

All RADIUS specific stuff in the WebUI is, if privacyIDEA sends requests to another RADIUS server.
It is sufficient to configure the clients.conf. Configure your **** PaloAlto accordingly.

Read this: https://privacyidea.readthedocs.io/en/latest/application_plugins/index.html#freeradius

and buy this book: https://www.amazon.com/FreeRADIUS-Beginners-Guide-Dirk-Walt-ebook/dp/B005M0F0WQ