{"id":307,"date":"2020-01-28T09:19:07","date_gmt":"2020-01-28T08:19:07","guid":{"rendered":"http:\/\/wp.12p.no\/?p=307"},"modified":"2020-01-28T09:19:07","modified_gmt":"2020-01-28T08:19:07","slug":"setting-up-2fa-with-palo-alto-using-google-authenticator","status":"publish","type":"post","link":"https:\/\/12p.no\/wp\/?p=307","title":{"rendered":"Setting up Palo Alto GlobalProtect VPN 2fa-authentication using Google Authenticator"},"content":{"rendered":"\n<p><em>TL;DR : Enable free 2FA using an Ubuntu server, Google authenticator and FreeRadius on service supporting radius authentication.<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-23.png\" alt=\"\" class=\"wp-image-344\"\/><\/figure>\n\n\n\n<p>So, I&#8217;ve been messing around with this for a while, and I decided I&#8217;d create a post showing how to do it. <\/p>\n\n\n\n<p>Basicly i have a small Ubuntu Server, with Free radius, and Google authenticator module.  Using the users defined on the Ubuntu server as allowed-users.<\/p>\n\n\n\n<p>Step1: Start installing the needed tools on the Ubuntu server running this command<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/step1.png\" alt=\"\" class=\"wp-image-308\"\/><\/figure>\n\n\n\n<p>This will install the applications and tools you need.  There are different ways of setting up free-radius in terms of the user running the service, but since I hate services running as root I used the freerad user account with lower privlegdes. <\/p>\n\n\n\n<p>Step 2: edit the \/etc\/freeradius\/users file, and add the following:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-1.png\" alt=\"\" class=\"wp-image-310\"\/><\/figure>\n\n\n\n<p>Step3: edit the \/etc\/freeradius\/sites-enabled\/default and remove # before PAM<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-2.png\" alt=\"\" class=\"wp-image-311\"\/><\/figure>\n\n\n\n<p>Step4: edit the file \/etc\/freeradius\/clients.conf. Add these lines to the end. Change the ip-adress allowed andradius secret to whatever you need it to be, I recommend using a password generator&#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-14.png\" alt=\"\" class=\"wp-image-325\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Then Restart the service: sudo service freeradius restart<\/p>\n\n\n\n<p>Step 5: Then edit the \/etc\/pam.d\/radiusd file to define the google authenticator:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-5-1024x262.png\" alt=\"\" class=\"wp-image-314\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Step 6: For each user you need to create a google authenticator token. running the command google_authenticator as each user will guide you trough the process. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-22.png\" alt=\"\" class=\"wp-image-338\"\/><figcaption>You can scan the QR-code in the google authenticator app, and ofcourse keep the backupcodes of later use (you can access these keys by viewing .google_authenticator file)<\/figcaption><\/figure>\n\n\n\n<p> A file named .google_authenticator will be created in each users homefolder.  We need to move this file in to the freeradius folder under \/etc\/freeradius\/*USERNAME*<\/p>\n\n\n\n<p>Step 6.1: Since we dont use the root user we need to allow the freerad user to access the google authenticator file for the user (the user is named TEST here):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-6.png\" alt=\"\" class=\"wp-image-315\"\/><\/figure>\n\n\n\n<p>Step 7: Test the setup using radtest:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-7.png\" alt=\"\" class=\"wp-image-316\"\/><figcaption>Yellow is the google authenticator code<br><br><\/figcaption><\/figure>\n\n\n\n<p>If the test is successfull you should see this line:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-8.png\" alt=\"\" class=\"wp-image-317\"\/><\/figure>\n\n\n\n<p>Step 8: Configure the Palo Alto firewall to use the radius server with 2FA for Global Protect VPN:<\/p>\n\n\n\n<p>Go to Device, then Server Profiles, and select Radius. Create new radius profile:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-9.png\" alt=\"\" class=\"wp-image-318\"\/><\/figure>\n\n\n\n<p>To test the settings, commit and from CLI to the firewall type:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-15.png\" alt=\"\" class=\"wp-image-326\"\/><figcaption>Ofcourse you need to change the profilename and username to what it needs to be. <br>At the passwordprompt type YourPassword+GoogleAuthenticatorCode<br><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-16.png\" alt=\"\" class=\"wp-image-327\"\/><figcaption>Result should look something like this. <\/figcaption><\/figure>\n\n\n\n<p>For more troubleshooting if this does not work. <\/p>\n\n\n\n<p>tail -f \/var\/log\/auth.log <\/p>\n\n\n\n<p>or <\/p>\n\n\n\n<p>tail -f \/var\/log\/freeradius\/freeradius.log<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-17-1024x35.png\" alt=\"\" class=\"wp-image-328\"\/><figcaption>Troubleshooting from cli (yes, i use Tmux.)<\/figcaption><\/figure>\n\n\n\n<p>Step 9: Go to authentication profile, and add a new<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-10.png\" alt=\"\" class=\"wp-image-319\"\/><figcaption><br><\/figcaption><\/figure>\n\n\n\n<p>Add this profile to the portal config: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-19-1024x497.png\" alt=\"\" class=\"wp-image-331\"\/><\/figure>\n\n\n\n<p>Step 10: Test the config<\/p>\n\n\n\n<p>Commit the config, visit the Globalprotect portal externally. Type in username, and in the passwordfield, type thepassword + the google authenticator code. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-18.png\" alt=\"\" class=\"wp-image-330\"\/><figcaption>So if your password is MyPassword and google authenticator code is 123 456 the password you type in would be &#8220;MyPassword123456&#8221;<\/figcaption><\/figure>\n\n\n\n<p>Step 12: Testing the authentication in the GlobalProtect client<\/p>\n\n\n\n<p>Download and install the client, if you havent done it yet. Add the portal address, your username and password+googleauthenticator:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-20.png\" alt=\"\" class=\"wp-image-332\"\/><figcaption><br>And you&#8217;re logged in<\/figcaption><\/figure>\n\n\n\n<p>Remember to change password at next logon. I use this settings aswell:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/wp.12p.no\/wp-content\/uploads\/2020\/01\/image-21.png\" alt=\"\" class=\"wp-image-333\"\/><\/figure>\n\n\n\n<p>LATER: I will do a turitorial on LDAP integration aswell later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR : Enable free 2FA using an Ubuntu server, Google authenticator and FreeRadius on service supporting radius authentication. So, I&#8217;ve been messing around with this for a while, and I decided I&#8217;d create a post showing how to do it. Basicly i have a small Ubuntu Server, with Free radius, and Google authenticator module. Using [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-307","post","type-post","status-publish","format-standard","hentry","category-it-security"],"_links":{"self":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=307"}],"version-history":[{"count":0,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/307\/revisions"}],"wp:attachment":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}