Configure Palo Alto Networks VPN to use the Okta RADIUS

During this task we will define a RADIUS Server Profile, define an Authentication Profile for Okta Palo Alto RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile. Complete these using the Palo Alto Networks RADIUS Server Profile.

Steps

  1. Define a RADIUS Server Profile
  2. Define an Authentication Profile for Okta Palo Alto RADIUS Agent
  3. Apply the Okta RADIUS Authentication Profile to a Gateway
  4. Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Define a RADIUS Server Profile

  1. Sign in to the Palo Alto Networks Admin console with sufficient privileges
  2. Navigate to Device > Server Profile > Radius, and then click Add to define a new RADIUS server.

  3. Enter a profile name that is unique and appropriate, and enter the following server settings, as shown above.

    • Timeout (sec): 60

    • Authentication Protocol: PAP

    • Retries: 1

  4. Click Add in the screen shown above to define a server. Enter the following settings:

    • Name: Unique and appropriate name

    • Radius Server: IP Address of the Server you installed the Okta Palo Alto Radius Agent above.

    • Secret: The Radius Secret you defined in the Okta Radius App above.

    • Port: The UDP Port you defined in the Okta Palo Alto Radius App above.

  5. Click OK to save the settings.

Define an Authentication Profile for Okta Palo Alto RADIUS Agent

  1. Select Device > Authentication Profile and then click Add to define an Authentication Profile.

  2. Select the Authentication tab.

  3. Use the default settings except for the following:
    • Type: RADIUS
    • Server Profile: Enter the name of the Server Profile you defined previously.
  4. Click OK.
  5. In the Authentication Profile screen, select the Advanced tab.
  6. Click Add to assign an Allow List. Select All from the available options.
  7. Click OK to save the settings.

  8. Click Commit to save the Okta RADIUS Authentication Profile.

  9. Open the Palo Alto Networks Administrative Shell and Test the Authentication Profile.

Apply the Okta RADIUS Authentication Profile to a Gateway

  1. Select Network > GlobalProtect > Gateways and open your configured GlobalProtect Gateway.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configured earlier.
    • Authentication Message: Enter appropriate instructions for end users such as "Enter login credentials".

  5. Click OK to save the settings.

Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

Note: The step applies the same settings that you just applied to you GlobalProtect Gateway to the GlobalProtect Portal.

  1. Select Network > GlobalProtect > Portals and open your configured GlobalProtect Portal.
  2. Select the Authentication tab to define Client Authentication Settings.
  3. Click Add to update Client Authentication to the Okta RADIUS Authentication Profile you just configured.
  4. Leave the default settings except for the following:
    • Name: Unique and appropriate name
    • OS: Any
    • Authentication Profile: Enter the Authentication Profile you configured earlier.
    • Authentication Message: Enter appropriate instructions for end users such as "Enter login credentials".

  5. Click OK to save the settings.

Commit all Settings

Click Commit to save the Okta RADIUS configuration within the Palo Alto Networks Admin Console.