Professional Documents
Culture Documents
February 2017
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a
registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or
registered trademarks of their respective owners. The material provided in this document is for information purposes
only. It is not intended to be advice. You should not act or abstain from acting based upon such information without
first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR
COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS
PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER
EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY
DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY,
SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE.
Integration information
Entrust product : Entrust IdentityGuard 10.2 (816) Feature Pack 1
Partner name : Palo Alto Networks
Palo Alto Firewall product : Palo Alto Virtual appliance VM-300 / version 7.0.1
Palo Alto GlobalProtect Client : version: 2.3.3-5
Check the Platform Support and Integration Center for the latest supported version information at:
https://www.entrust.com/support/psic/index.cfm
Note: The PA-VM supports CHAP and PAP authentication methods with RADIUS.
The Radius proxy does not support the creation of new passwords or PVNs. Administrators must assign users
their initial passwords and PVNs.
Only PAP supports password and PVN updates, and only PAP supports the cell replacement feature of Entrust
IdentityGuard grids, one-time passwords, and temporary PINs. The cell replacement feature allows certain
characters to replace other characters. For example, "x" can replace "X", and "B" can replace "8”.
1*Can also include a personal verification number (PVN). A PVN is an additional authentication feature that can be added to other
authentication methods. Grid, token, or one-time password authentication must be configured.
2 TVS is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by
the Entrust Mobile Soft Token app and verified by Entrust IdentityGuard server. A user can accept or reject the challenge, which results in
either a successful or failed authentication.
VPN authentication with Entrust IdentityGuard and a first-factor authentication resource follows
these steps:
1. A user enters first-factor credentials (user name and password) into the VPN client.
2. The VPN client sends the credentials to the VPN server, which forwards them to the Entrust IdentityGuard
Radius Server proxy.
3. The Radius proxy forwards the credentials to the Radius server.
4. The Radius server generates either an accept message (the user passed first-factor authentication), or a
reject message (the user failed first-factor authentication).
5. The Radius server sends the message to the Radius proxy.
If the message is a reject message, the Radius proxy sends the message unchanged to the VPN server.
If the message is an accept message, the Radius proxy requests a second-factor challenge from Entrust
IdentityGuard.
6. Entrust IdentityGuard generates a second-factor challenge and sends it to the Radius proxy. The Radius
proxy sends the challenge to the VPN server, which forwards it to the VPN client.
7. The user enters a response to the second-factor challenge into the VPN client.
8. The VPN client sends the response to the VPN server, which forwards it to the Radius proxy. The Radius
proxy forwards the response to Entrust IdentityGuard for authentication.
9. Entrust IdentityGuard either accepts or rejects the response and then sends a message to the Radius proxy.
The Radius proxy forwards the message to the VPN server.
If the message is a reject message, then the user failed second-factor authentication.
If the message is an accept message, then the user passed second-factor authentication.
© Copyright 2017 Entrust. http://www.entrust.com
All rights reserved. 6
Integration with Entrust IdentityGuard and an external resource
When you install Entrust IdentityGuard, you can integrate it into an environment with an external
first-factor authentication resource. That external resource can be an LDAP-compliant directory or a
Windows domain controller through Kerberos. In this environment, the Entrust IdentityGuard Radius
Server proxy intercepts messages from the VPN server, and the Entrust IdentityGuard Radius Server
communicates with the external resource (see Figure 2).
Figure 2: Overview of Entrust IdentityGuard integrated with a VPN and first-factor authentication resource
VPN authentication with Entrust IdentityGuard and a first-factor authentication resource follows
these steps:
1. A user enters first-factor credentials (user name and password) into the VPN client.
2. The VPN client sends the credentials to the VPN server, which forwards them to the Entrust IdentityGuard
Radius Server proxy.
3. The Radius proxy forwards the credentials to Entrust IdentityGuard, which forwards them to the external
resource.
4. The external resource generates either a success message (the user passed first-factor authentication) or a
fail message (the user failed first-factor authentication).
5. The external resource sends the message to Entrust IdentityGuard.
If the message is a fail message, the Radius proxy sends a reject message to the VPN server.
If the message is a success message, Entrust IdentityGuard generates a second-factor challenge and
sends it to the Radius proxy.
6. The Radius proxy sends the challenge to the VPN server, which forwards it to the VPN client.
7. The user enters a response to the second-factor challenge into the VPN client.
8. The VPN client sends the response to the VPN server, which forwards it to the Radius proxy. The Radius
proxy forwards the response to Entrust IdentityGuard for authentication.
9. Entrust IdentityGuard either accepts or rejects the response and then sends a message to the Radius proxy.
10. The Radius proxy forwards the message to the VPN server.
If the message is a reject message, then the user failed second-factor authentication.
If the message is an accept message, then the user passed second-factor authentication.
Forced migration
Phased migration with a parallel authentication resource
Phased migration with a Radius server or Entrust IdentityGuard first-factor authentication
Phased migration with an external resource
Each migration scenario is discussed in more detail in the following sections.
Forced migration
With forced migration, you have an existing VPN that provides access to a protected resource and you want to
use the Entrust IdentityGuard Administration interface to migrate all users to Entrust IdentityGuard at a
pre-announced switch-over date.
Advantages
Easy to implement
Effective with a small number of users
Disadvantages
Administrators may experience a large number of problems on the switch-over date. No user feedback
that a pilot would generate.
Need an external process that maintains users between the existing system and the new Entrust
IdentityGuard system.
To perform a forced migration
1. Inform your VPN users that you plan to add second-factor authentication on a specified date.
2. Provide your users with their grid cards, tokens, or temporary PINs for Entrust IdentityGuard authentication.
3. On the switch-over date, have an Entrust IdentityGuard administrator use the bulk operations mechanism of
Entrust IdentityGuard to load all your VPN users into the Entrust IdentityGuard repository. (See the Entrust
IdentityGuard Administration Guide for information about bulk operations.)
4. Integrate your VPN and Entrust IdentityGuard.
Need an external process that maintains users between the existing system and the new Entrust
IdentityGuard system.
May require another VPN.
Users can by bypass the second-factor login by using the old authentication mechanism.
Any users not yet migrated to the new system are not inconvenienced.
Any users migrated to the new system cannot bypass it and use the old system.
Gradually adding users to the new system means administrators experience fewer problems. Starting
with a small group of users allows for a pilot that generates user feedback.
Disadvantages
Need an external process that moves users between the existing system and the new Entrust
IdentityGuard system.
More overhead to inform users in a staged manner.
Any users not yet migrated to the new system are not inconvenienced.
Any users migrated to the new system cannot bypass it and use the old system.
Gradually adding users to the new system means administrators experience fewer problems. Starting
with a small group of users allows for a pilot that generates user feedback.
Disadvantages
Need an external process that maintains users between the existing system and the new Entrust
IdentityGuard system.
Need to inform users in a staged manner.
4. Enter the default username/password (admin/admin) to log in. The welcome screen appears.
Configuring RADIUS and LDAP for the Palo Alto PA-VM Series
appliance
The following procedures describe how to configure the Palo Alto PA-VM Series appliance to use the Entrust
IdentityGuard Radius Server proxy. It is assumed that you are familiar with the administration interface of the
Palo Alto PA-VM Series appliance. All examples use the Palo Alto interface.
To set up the Palo Alto PA-VM Series appliance, you must add the Entrust IdentityGuard Radius Server proxy
as an AAA (Authentication Authorization Accounting) client, and then configure an IPSec connection profile.
This topic contains the following procedures:
b. Click the Group Mapping Settings tab and then click Add at the bottom of the Palo Alto main page.
The Group Mapping page appears.
h. Click on the group list starting with the cn= that you want to have on the firewall to use in policies.
i. Click the + sign in the middle to add them to the Included Groups list.
j. Click OK to save the changes and click OK again to close the Group Mapping page.
8. Click Commit at the top of the Palo Alto main page.
c. From the Server Profile drop-down list, select the Active_Directory profile.
d. In the User Domain field enter the domain name for LDAP server (for example, if your Active Directory
has a domain name such as ldap.mycompany.com).
e. From the Username Modifier drop-down list, select %USERINPUT%.
f. Click the Advanced tab. The Authentication Profile Advanced page appears.
h. Click on the groups listed starting with cn= that you want to have on the firewall to use in policies.
5. Click OK to close the Authentication Profile page and return to the Palo Alto main page.
6. Click Commit at the top of the Palo Alto main page to save the configuration changes.
c. In the Server Profile field, select the IdentityGuard profile from the drop-down list.
d. Click the Advanced tab. The Authentication Profile Advanced page appears.
3. Click Add at the bottom of the page. The Tunnel Interface page appears.
2. Click Add at the bottom left of the page to add a new rule. The Security Policy Rule page appears.
c. Click Add at the bottom of the Source Zone. A list of source zones appears.
d. From the Source Zone drop-down list, select Corp-zone.
e. Click Any in the Source Address field to define a destination address.
4. Click the Destination tab. The Destination options page appears.
2. Click Generate at the bottom of the page. The Generate Certificate page appears.
3. Click Add to create a new Gateway. The Global Protect Gateway page appears.
8. Click Add to create a new client entry. A Configs page appears for you to enter the client information.
3. Click Add to create a new Portal. The GlobalProtect Portal page appears.
6. Click Add at the bottom of the page The Configs page appears.
b. In the Name field, enter a name for the gateway, for example IdentityGuard.
c. In the Address field, enter the IP address of ethernet1/2.
d. Select the Priority as Highest.
e. Select the Manual check box.
To configure the network subnet to allow traffic for all the networks and VLANs
1. Login to the Palo Alto Web management. The Palo Alto Dashboard page appears.
2. Click the Network tab and in the navigation pane, select Virtual Routers > Default.
3. Select the check box next to default. The Virtual Router Default page appears.
b. Click Add. The Static Route page appears for you to enter the static route values.
b. Select the First-factor Authentication Method to use in one-step Entrust IdentityGuard Password or
Token.
c. Select True for Only Perform First-factor Authentication.
5. Scroll down and click Validate & Save.
6. Restart the Entrust IdentityGuard services for the changes to take effect.
b. From the First Factor Authentication Method drop-down list, select No First-Factor Authentication.
“To configure TVS authentication in Entrust IdentityGuard and activate a mobile soft token on your
mobile device”
"To configure TVS Authentication using the Entrust IdentityGuard Properties Editor"
To configure TVS authentication in Entrust IdentityGuard and activate a mobile soft token on your
mobile device
1. Validate the transaction component and callback settings. (See the topic "Transaction Component and
Callback Settings" in the Entrust IdentityGuard Radius Server Administration Guide).
2. Validate the licensing required to perform TVS authentication transactions by doing the following:
a. Validate transaction verification with soft tokens license. (See the topic "Verification with Soft Tokens" in
the Entrust IdentityGuard Radius Server Administration Guide).
3. Validate soft token licenses. (See the topic "Soft Tokens License" in the Entrust IdentityGuard Radius
Server Administration Guide).
4. Activate mobile soft tokens.
You can do this through the Entrust IdentityGuard Administration Interface. (See the topic "Creating and
Activating a mobile soft token using the Administration Interface" in the Entrust IdentityGuard Radius
Server Administration Guide).
Alternately, you can activate the mobile soft token using the Entrust IdentityGuard Self-Service Web
site. (See the Entrust IdentityGuard Self-Service Installation and Configuration Guide).
5. Configure mobile soft tokens for second factor authentication. (See the topic Using mobile soft tokens for
second factor authentication" in the Entrust IdentityGuard Radius Server Administration Guide).
Note: (It is assumed that you have already deployed GlobalProtect Agent software to client computer as
outlined in the section, Deploying and configuring GlobalProtect Client).
2. In the Username field, enter the Entrust IdentityGuard username.
3. In the Password field, enter the Entrust IdentityGuard Password/ Temp PIN.
4. Click Apply.
5. In the GlobalProtect page, select File > Enable.
Note: (It is assumed that you have already deployed GlobalProtect Agent software to client computer as
outlined in the section, Deploying and configuring GlobalProtect Client).
10. In the Username field, enter Entrust IdentityGuard username.
11. In the Password field, enter the Entrust IdentityGuard password.
12. Click Apply.
14. Click Continue. You are prompted to enter the second factor authentication response.
15. Enter the Second Factor authentication response. The challenge depends on the type of second factor
authentication you have configured in Entrust IdentityGuard Radius Server.
Once you are connected, the GlobalProtect Welcome page appears.
4. Click Confirm.