Radius Integration Entrust

Technical Integration Guide for Entrust IdentityGuard 10.
2 and Palo Alto Virtual

Appliance (PA VM) Series Adaptive Security Appliances
Document issue: 3.0
February 2017
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a
registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or
registered trademarks of their respective owners. The material provided in this document is for information purposes
only. It is not intended to be advice. You should not act or abstain from acting based upon such information without
first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR
COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS
PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER
EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY
DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY,
SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE.
Copyright © 2017. Entrust. All rights reserved.

Contents
Introduction............................................................................................................................ 4
Integration information ......................................................................................................................................... 4
Partner contact information ................................................................................................................................. 4
Supported authentication methods ...................................................................................................................... 4
Integration overview .............................................................................................................. 6
Integration with Entrust IdentityGuard and a Radius server ................................................................................ 6
Integration with Entrust IdentityGuard and an external resource ........................................................................ 7
Integration with Entrust IdentityGuard only.......................................................................................................... 8
Migrating users to Entrust IdentityGuard ............................................................................ 9
Forced migration .................................................................................................................................................. 9
Phased migration with a parallel authentication resource ................................................................................. 10
Phased migration with a Radius server or Entrust IdentityGuard first-factor authentication ............................. 10
Phased migration with an external resource ..................................................................................................... 11
Prerequisites ........................................................................................................................ 13
Integrating the Palo Alto PA-VM Series appliance with Entrust IdentityGuard .............. 14
Configuring the Palo Alto Web interface management ..................................................................................... 14
Configuring RADIUS and LDAP for the Palo Alto PA-VM Series appliance ..................................................... 15
Configuring LDAP as an AAA Client .............................................................................................................. 16
Configuring Entrust IdentityGuard Radius Server as an AAA Client ............................................................. 19
Creating an authentication profile for LDAP AAA clients ............................................................................... 20
Creating an authentication profile for RADIUS AAA clients ........................................................................... 22
Configuring VPN Interfaces, tunnel, and zones ................................................................................................ 25
Creating zones for VPN ................................................................................................................................. 25
Configuring an Ethernet interface for VPN .................................................................................................... 26
Configuring a tunnel interface for Gateway ................................................................................................... 29
Creating a security policy for VPN ................................................................................................................. 30
Creating a server certificate ........................................................................................................................... 33
Creating an SSL/TLS profile .......................................................................................................................... 37
Configuring GlobalProtect Gateway and Portal for IPsec/SSL VPN ................................................................. 38
Configuring a GlobalProtect Gateway............................................................................................................ 38
Configuring a GlobalProtect Portal ................................................................................................................ 42
Configuring static route ...................................................................................................................................... 45
Deploying and configuring GlobalProtect Client ................................................................................................ 47
Configuring Entrust IdentityGuard Radius server with VPN server ................................................................... 48
Configuring Entrust IdentityGuard Radius server for one-step authentication .............................................. 48
Configuring Entrust IdentityGuard Radius server for two-step authentication ............................................... 49
Configuring TVS authentication for Entrust IdentityGuard Radius Server ..................................................... 51
Testing the integration ........................................................................................................ 53
Testing GlobalProtect for one-step authentication ............................................................................................ 53
Testing GlobalProtect for two-step authentication ............................................................................................. 55
Testing GlobalProtect using a PVN with your second-factor authentication response ..................................... 57
Testing GlobalProtect using mobile App soft token for TVS authentication ...................................................... 57
© Copyright 2017 Entrust. http://www.entrust.com

All rights reserved. 3
Introduction
This technical integration guide describes how to integrate a Palo Alto VM-300 and Entrust IdentityGuard
10.2. Although this document specifically covers the Palo Alto KVM appliance (v), the information provided
applies to all Palo Alto PA-VM Series appliances using the Device Manager software. The aim of this
integration is to provide strong, second-factor authentication for your Palo Alto PA-VM Series appliance
solution using Entrust IdentityGuard 10.2.
This integration works with Entrust IdentityGuard passwords, grids, tokens, temporary PINs, one-time
passwords, knowledge-based questions and answers, mobile soft token (TVS), and Personal Verification
Numbers (PVN). For more information about using Entrust IdentityGuard, see the Entrust IdentityGuard
Administration Guide.
Integration information
Entrust product : Entrust IdentityGuard 10.2 (816) Feature Pack 1
Partner name : Palo Alto Networks
Palo Alto Firewall product : Palo Alto Virtual appliance VM-300 / version 7.0.1
Palo Alto GlobalProtect Client : version: 2.3.3-5
Check the Platform Support and Integration Center for the latest supported version information at:
https://www.entrust.com/support/psic/index.cfm
Partner contact information

Contact Palo Alto at www.paloaltonetworks.com or by calling (800)553-NETS or (800)553-6387.
Supported authentication methods

The Palo Alto VM-300 software supports the Entrust IdentityGuard authentication methods and authentication
protocols listed in Table 1. The capabilities may depend on the Entrust IdentityGuard configuration, or the
setup of other 3rd party authentication resources (Active Directory, for example).
Note: The Entrust IdentityGuard Radius Server proxy supports additional authentication protocols and
authentication methods. See the Entrust IdentityGuard documentation for more information if you are
integrating different VPN devices.
Table 1: Authentication methods
Note: The PA-VM supports CHAP and PAP authentication methods with RADIUS.
Authentication method Notes Supported protocols
Password Password authentication is first-factor CHAP, PAP

authentication with Entrust IdentityGuard’s
password feature.
Radius Radius authentication is first-factor CHAP, PAP

authentication with a Radius server.

Authentication method Notes Supported protocols
External External authentication is first-factor CHAP, PAP

authentication with an LDAP-compliant
directory or a Windows domain controller
through Kerberos.
Grid* Two-step authentication only. CHAP, PAP
Token*1 Entrust IdentityGuard supports both CHAP, PAP

response-only tokens and
challenge/response tokens.
Supported over One-step
Temporary PIN* Grid or token authentication must be CHAP, PAP
configured. Supported over One-step
One-time password* One-step supported CHAP, PAP
Knowledge-based The Radius proxy only supports a single CHAP, PAP

questions and answers question and answer.
Two-step authentication only.
Mutual Serial number replay only. CHAP, PAP

Grid or token authentication must be
configured. Two-step only
Mobile ST2 Mobile Soft Token TVS authentication CHAP, PAP

(supports response-only tokens for second  NULL first factor, MSCHAPv2,
factor authentication. and EAP authentication are
not supported.
 Classic Token authentication
can be used for fallback
The Radius proxy does not support the creation of new passwords or PVNs. Administrators must assign users
their initial passwords and PVNs.
Only PAP supports password and PVN updates, and only PAP supports the cell replacement feature of Entrust
IdentityGuard grids, one-time passwords, and temporary PINs. The cell replacement feature allows certain
characters to replace other characters. For example, "x" can replace "X", and "B" can replace "8”.
1*Can also include a personal verification number (PVN). A PVN is an additional authentication feature that can be added to other
authentication methods. Grid, token, or one-time password authentication must be configured.
2 TVS is a strong out-of-band authentication method where an authentication challenge is sent on user’s mobile. This challenge is signed by
the Entrust Mobile Soft Token app and verified by Entrust IdentityGuard server. A user can accept or reject the challenge, which results in
either a successful or failed authentication.

Integration overview
When you install Entrust IdentityGuard, you also install the Entrust IdentityGuard Radius Server proxy. The
Radius proxy allows your remote access gateway (IPsec or SSL) to communicate with Entrust IdentityGuard
and (optionally) a Radius server or external first-factor authentication resource.
Integration with Entrust IdentityGuard and a Radius server

When you install Entrust IdentityGuard, you can integrate it into an environment with a Radius server. In this
environment, the Entrust IdentityGuard Radius Server proxy intercepts messages between the VPN server and
the Radius server (see Figure 1).
Figure 1: Overview of Entrust IdentityGuard integrated with a VPN and Radius server
VPN authentication with Entrust IdentityGuard and a first-factor authentication resource follows
these steps:
1. A user enters first-factor credentials (user name and password) into the VPN client.
2. The VPN client sends the credentials to the VPN server, which forwards them to the Entrust IdentityGuard
Radius Server proxy.
3. The Radius proxy forwards the credentials to the Radius server.
4. The Radius server generates either an accept message (the user passed first-factor authentication), or a
reject message (the user failed first-factor authentication).
5. The Radius server sends the message to the Radius proxy.
 If the message is a reject message, the Radius proxy sends the message unchanged to the VPN server.
 If the message is an accept message, the Radius proxy requests a second-factor challenge from Entrust
IdentityGuard.
6. Entrust IdentityGuard generates a second-factor challenge and sends it to the Radius proxy. The Radius
proxy sends the challenge to the VPN server, which forwards it to the VPN client.
7. The user enters a response to the second-factor challenge into the VPN client.
8. The VPN client sends the response to the VPN server, which forwards it to the Radius proxy. The Radius
proxy forwards the response to Entrust IdentityGuard for authentication.
9. Entrust IdentityGuard either accepts or rejects the response and then sends a message to the Radius proxy.
The Radius proxy forwards the message to the VPN server.
 If the message is a reject message, then the user failed second-factor authentication.
 If the message is an accept message, then the user passed second-factor authentication.
Integration with Entrust IdentityGuard and an external resource
When you install Entrust IdentityGuard, you can integrate it into an environment with an external
first-factor authentication resource. That external resource can be an LDAP-compliant directory or a
Windows domain controller through Kerberos. In this environment, the Entrust IdentityGuard Radius
Server proxy intercepts messages from the VPN server, and the Entrust IdentityGuard Radius Server
communicates with the external resource (see Figure 2).
Figure 2: Overview of Entrust IdentityGuard integrated with a VPN and first-factor authentication resource
VPN authentication with Entrust IdentityGuard and a first-factor authentication resource follows
these steps:
3. The Radius proxy forwards the credentials to Entrust IdentityGuard, which forwards them to the external
resource.
4. The external resource generates either a success message (the user passed first-factor authentication) or a
fail message (the user failed first-factor authentication).
5. The external resource sends the message to Entrust IdentityGuard.
 If the message is a fail message, the Radius proxy sends a reject message to the VPN server.
 If the message is a success message, Entrust IdentityGuard generates a second-factor challenge and
sends it to the Radius proxy.
6. The Radius proxy sends the challenge to the VPN server, which forwards it to the VPN client.
10. The Radius proxy forwards the message to the VPN server.

Integration with Entrust IdentityGuard only
When you install Entrust IdentityGuard, you can configure it to handle both first-factor authentication and
second-factor authentication. In this environment, the Entrust IdentityGuard Radius Server proxy intercepts
messages between the VPN server and Entrust IdentityGuard (see Figure 3).
Figure 3: Overview of Entrust IdentityGuard integrated with a VPN
VPN authentication with Entrust IdentityGuard follows these steps:

3. The Radius proxy forwards the credentials to Entrust IdentityGuard.
4. Entrust IdentityGuard generates either an accept message (the user passed first-factor authentication) or a
reject message (the user failed first-factor authentication).
 If the message is a reject message, the Radius proxy sends the message unchanged to the VPN server.
 If the message is an accept message, Entrust IdentityGuard generates a second-factor challenge and
sends it to the Radius proxy. The Radius proxy sends the challenge to the VPN server, which forwards it
to the VPN client.
8. The Radius proxy forwards the message to the VPN server.

Migrating users to Entrust IdentityGuard
When integrating your VPN with Entrust IdentityGuard, your VPN users must also become Entrust
IdentityGuard users to take advantage of Entrust IdentityGuard authentication. You can accomplish this
migration in one of several ways:
 Forced migration
 Phased migration with a parallel authentication resource
 Phased migration with a Radius server or Entrust IdentityGuard first-factor authentication
 Phased migration with an external resource
Each migration scenario is discussed in more detail in the following sections.
Forced migration
With forced migration, you have an existing VPN that provides access to a protected resource and you want to
use the Entrust IdentityGuard Administration interface to migrate all users to Entrust IdentityGuard at a
pre-announced switch-over date.
Advantages
 Easy to implement
 Effective with a small number of users
Disadvantages
 Administrators may experience a large number of problems on the switch-over date. No user feedback
that a pilot would generate.
 Need an external process that maintains users between the existing system and the new Entrust
IdentityGuard system.
To perform a forced migration
1. Inform your VPN users that you plan to add second-factor authentication on a specified date.
2. Provide your users with their grid cards, tokens, or temporary PINs for Entrust IdentityGuard authentication.
3. On the switch-over date, have an Entrust IdentityGuard administrator use the bulk operations mechanism of
Entrust IdentityGuard to load all your VPN users into the Entrust IdentityGuard repository. (See the Entrust
IdentityGuard Administration Guide for information about bulk operations.)
4. Integrate your VPN and Entrust IdentityGuard.

Phased migration with a parallel authentication resource
With phased migration, you have an existing VPN that provides access to a protected resource, and you use
another authentication resource to authenticate users with Entrust IdentityGuard. An authentication resource
may be another VPN device, or it may be a parallel configuration on your current VPN. For example, with an
SSL VPN, Entrust IdentityGuard users might use another URL to log in, or choose a different authentication
realm or group to authenticate to. The exact form of the parallel authentication resource depends on your
VPN.
Create the alternate login mechanism on the VPN and migrate users to Entrust IdentityGuard in phases using
the Administration interface. Migrated users are forced to authenticate with Entrust IdentityGuard
authentication. Users that have not yet migrated bypass Entrust IdentityGuard authentication.
Advantages
 Allows for a pilot and user feedback.

 Any users not yet migrated to the new system do not see any changes.
Disadvantages
 May require another VPN.
 Users can by bypass the second-factor login by using the old authentication mechanism.
To perform a phased migration with a parallel authentication resource

1. Integrate Entrust IdentityGuard with your existing VPN or a new dedicated VPN.
2. Have an Entrust IdentityGuard administrator use the bulk operations mechanism of Entrust IdentityGuard to
load all your VPN users into the Entrust IdentityGuard repository. (See the Entrust IdentityGuard
Administration Guide for information about bulk operations.)
3. Inform your users that they should now use second-factor authentication and provide them with their grid
cards, tokens, or temporary PINs for Entrust IdentityGuard authentication.
4. Direct your users to the new authentication resource integrated with Entrust IdentityGuard.
5. After all your users have migrated, disable the old access method not integrated with Entrust IdentityGuard.
Phased migration with a Radius server or Entrust IdentityGuard

first-factor authentication
You have an existing VPN that provides access to a protected resource authenticating to a Radius server or
local VPN authentication. You want to migrate users to Entrust IdentityGuard second factor authentication, and
authenticate using either the Radius server or Entrust IdentityGuard first-factor authentication.
To migrate, you use the Entrust IdentityGuard Administration interface to move users to Entrust IdentityGuard
in phases. Migrated users are forced to authenticate with Entrust IdentityGuard authentication. Users that have
not yet migrated bypass Entrust IdentityGuard authentication.

Advantages
 Any users not yet migrated to the new system are not inconvenienced.
 Any users migrated to the new system cannot bypass it and use the old system.
 Gradually adding users to the new system means administrators experience fewer problems. Starting
with a small group of users allows for a pilot that generates user feedback.
Disadvantages
 Need an external process that moves users between the existing system and the new Entrust
 More overhead to inform users in a staged manner.
To perform a phased migration with a Radius server or Entrust IdentityGuard first-factor

authentication
When setting Entrust identityGuard properties for your VPN, set the Skip Second-Factor Authentication for
Nonexistent Users property to True, and (optionally) set the Skip Second-Factor Authentication for Users
Unable to Respond property to True. For more information about this properties, see the Entrust
IdentityGuard Administration Guide.
2. Have an Entrust IdentityGuard administrator use the bulk operations mechanism of Entrust IdentityGuard to
load a portion of your VPN users into the Entrust IdentityGuard repository. (See the Entrust IdentityGuard
Administration Guide for information on bulk operations.)
3. Inform migrated users that they must now use second-factor authentication and provide them with their grid
cards, tokens, or temporary PINs for Entrust IdentityGuard authentication.
4. After these users have successfully migrated, load another portion of users into the Entrust IdentityGuard
repository, and provide those users with grid cards, tokens, or temporary PINs.
5. Continue this process until all users have migrated.
Phased migration with an external resource

With phased migration with an external resource, you have an existing VPN that provides access to a
protected resource and an external resource (an LDAP-compliant directory or Windows domain controller
through Kerberos) that provides first-factor authentication. You use the Entrust IdentityGuard Administration
interface to migrate users to Entrust IdentityGuard in phases. Migrated users are forced to authenticate with
Entrust IdentityGuard authentication. Non-migrated users bypass Entrust IdentityGuard authentication.
Advantages
 Any users not yet migrated to the new system are not inconvenienced.
 Any users migrated to the new system cannot bypass it and use the old system.
 Gradually adding users to the new system means administrators experience fewer problems. Starting
with a small group of users allows for a pilot that generates user feedback.
Disadvantages
 Need to inform users in a staged manner.

To perform a phased migration with an external resource
1. Have an Entrust IdentityGuard Administrator use the bulk operations mechanism of Entrust IdentityGuard to
load all your VPN users into the Entrust IdentityGuard repository. (See the Entrust IdentityGuard
Administration Guide for information on bulk operations.)
When setting Entrust identityGuard properties for your VPN, set the Skip Second-Factor Authentication for
Nonexistent Users property to True. For more information about this properties, see the Entrust
IdentityGuard Administration Guide.
3. Provide a portion of users with grid cards, tokens, or temporary PINs for Entrust IdentityGuard
authentication.
4. After these users have successfully migrated, provide another portion of users with grid cards, tokens, or
temporary PINs.
5. Continue this process until all users have migrated.

Prerequisites
Complete the following steps before integrating your authentication system with Entrust IdentityGuard:
1. Install and configure your first-factor authentication resource using the documentation provided by the
vendor. The first-factor authentication resource can be a Radius server or an external authentication
resource (either an LDAP-compliant directory or Windows domain controller through Kerberos).
2. Install and configure the Palo Alto PA-VM Series appliance using the documentation provided by Palo Alto
Networks. The device must be able to route traffic before you integrating with Entrust IdentityGuard.
3. Install and configure Entrust IdentityGuard and the Entrust IdentityGuard Radius Server proxy (see the
Entrust IdentityGuard Installation Guide). Take note of the shared secrets, IP addresses, and ports you use.
You need this information to configure the Palo Alto PA-VM Series appliance and first-factor authentication
resource.
4. If you want to configure your Palo Alto PA-VM Series appliance and first-factor authentication resource to
recognize Entrust IdentityGuard user groups, you must define the Entrust IdentityGuard user groups first.
(See the Entrust IdentityGuard Administration Guide).

Integrating the Palo Alto PA-VM Series appliance
with Entrust IdentityGuard
This section contains the following topics:
 Configuring the Palo Alto Web interface management

 Configuring RADIUS and LDAP for the Palo Alto PA-VM Series appliance
 Configuring VPN Interfaces, tunnel, and zones
 Configuring GlobalProtect Gateway and Portal for IPsec/SSL VPN
 Configuring static route
 Deploying and configuring GlobalProtect Client
 Configuring Entrust IdentityGuard Radius Server with VPN Server
Configuring the Palo Alto Web interface management

To configure Palo Alto web management interface
1. Download the Palo Alto Virtual appliance VM-300 / version 7.0.1 from the Palo Alto Networks website.
2. Deploy the PA VM series OVA format to ESXi server or vCenter Server.
3. Select the Palo Alto VM and open the console. The login screen appears for you to enter the admin
credentials.
4. Enter the default username/password (admin/admin) to log in. The welcome screen appears.
5. To enable the configuration mode, type configure.

6. Configure the network access settings for the management interface. The management interface is used for
management traffic, VPN, and Radius server configurations.
7. To configure web management access, do the following:
a. At the prompt, enter set deviceconfig system ip-address <Panorama-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
For Example,
set deviceconfig system ip-address 10.10.10.80 netmask 255.255.224.0
default-gateway 10.10.10.1 dns-settings servers primary 10.10.10.45
b. Press Enter.
c. At the command prompt, type commit to make the web interface accessible.
d. Open a web browser and type https://<IP Address>. The Palo Alto Dashboard page appears.
Configuring RADIUS and LDAP for the Palo Alto PA-VM Series
appliance
The following procedures describe how to configure the Palo Alto PA-VM Series appliance to use the Entrust
IdentityGuard Radius Server proxy. It is assumed that you are familiar with the administration interface of the
Palo Alto PA-VM Series appliance. All examples use the Palo Alto interface.
To set up the Palo Alto PA-VM Series appliance, you must add the Entrust IdentityGuard Radius Server proxy
as an AAA (Authentication Authorization Accounting) client, and then configure an IPSec connection profile.
This topic contains the following procedures:
 Configuring LDAP as an AAA Client

 Configuring Entrust IdentityGuard Radius Server as an AAA Client
 Creating an authentication profile for LDAP AAA clients

 Creating an authentication profile for RADIUS AAA clients
Configuring LDAP as an AAA Client

To configure the Entrust LDAP as an AAA Client
1. Login to the Palo Alto Web management. The Palo Alto Dashboard page appears.
2. Click the Device tab. The navigation pane appears.

3. In the navigation pane, select Server Profiles > LDAP.
4. Click Add at the bottom of the Palo Alto main page. The LDAP Server Profile page appears.
5. In the LDAP Server Profile page, do the following:

a. In the Profile Name field, enter the name of your LDAP Server hostname (for example,
Active_Directory).
b. In the Server List, click Add. The LDAP Server Profile page updates for you to add information about
the LDAP server.
c. In the Server list pane, do the following:
- In the Name field enter the LDAP hostname, for example, IGUser.
- In the LDAP Server field enter the IP address or host name of the Active Directory.
- In the Port field, enter 389 or enter 639 if you are using SSL connection over LDAP.
d. In the Server Settings pane, do the following:
- Select active-directory from the Type drop-down list.
- In the Base DN field, enter the domain name (for example, if your Active Directory has a domain
name such as iguser.mycompany.com, then you need to specify Base DN
dc=igsuser,dc=mycompany,dc=com).
- In the Bind DN field, enter the login domain name (for example,
cn=administrator,cn=users,dc=iguser,dc=mycompany,dc=com).
- In the Password field, enter the Active Directory administrator account password and Confirm
Password the password.
- Leave the other settings at the default values.
- Select the Require SSL/TLS secured connection check box.
e. Click OK to close the LDAP server Profile page. You are returned to the Palo Alto Device page.

6. Click Commit at the top of the Palo Alto main page.
7. Next, configure the Group Mapping Profile, by doing the following:
a. Click the Device tab and in the navigation pane to select User Identification. The User Identification
page appears.
b. Click the Group Mapping Settings tab and then click Add at the bottom of the Palo Alto main page.
The Group Mapping page appears.
c. In the Name field enter some name, for example, Group_Mapping.

d. From the Server Profile drop-down list select the LDAP Server Profile from the drop-down list. This is
the LDAP server you created in the previous steps.
e. Select the Enabled check box at the bottom.
f. Leave the other settings at the default values.
g. Click the Group Include List tab and expand the Available group drop-down list.
h. Click on the group list starting with the cn= that you want to have on the firewall to use in policies.
i. Click the + sign in the middle to add them to the Included Groups list.
j. Click OK to save the changes and click OK again to close the Group Mapping page.
Configuring Entrust IdentityGuard Radius Server as an AAA Client

To configure the Entrust IdentityGuard Radius Server proxy as an AAA Client
2. Click the Device tab and then in the navigation pane, select Server Profiles > RADIUS.
3. Click Add at the bottom of the Palo Alto main page. The RADIUS Server Profile page appears.

4. In the RADIUS Server Profile page, do the following:
a. In the Profile Name field enter the Entrust IdentityGuard Radius Server server name, for example,
IdentityGuard.
b. In the Servers pane, click Add. The RADIUS Server Profile page updates allowing you to add details
for your RADIUS server.
c. In the Name field enter the RADIUS server name.
d. In the RADIUS server field enter IP address of the RADIUS server.
e. In the Secret field, enter the RADIUS secret.
f. In the Port field, enter the port number, default port is 1812.
5. Click OK.
Creating an authentication profile for LDAP AAA clients

To create an authentication profile for LDAP AAA clients
2. Click the Device tab and then in the navigation pane select Authentication Profile.
3. Click Add bottom of the Palo Alto main page. The Authentication Profile page appears.

4. In the Authentication Profile page, do the following:
a. In the Name field enter a name for authentication profile.
b. From the Type drop-down list, select LDAP. The Authentication Profile page updates for you to enter
the LDAP information.
c. From the Server Profile drop-down list, select the Active_Directory profile.
d. In the User Domain field enter the domain name for LDAP server (for example, if your Active Directory
has a domain name such as ldap.mycompany.com).
e. From the Username Modifier drop-down list, select %USERINPUT%.
f. Click the Advanced tab. The Authentication Profile Advanced page appears.

g. Click Add. The following list of domain users appears.
h. Click on the groups listed starting with cn= that you want to have on the firewall to use in policies.
5. Click OK to close the Authentication Profile page and return to the Palo Alto main page.
6. Click Commit at the top of the Palo Alto main page to save the configuration changes.
Creating an authentication profile for RADIUS AAA clients

To create an authentication profile for RADIUS AAA clients

2. Click the Device tab and then in the navigation pane select Authentication Profile.
3. Click Add bottom of the Palo Alto main page. The Authentication Profile page appears.
4. In the Authentication Profile page, do the following:

a. In the Name field enter a name for authentication profile, for example, IdentityGuard.
b. From the Type drop-down list, select RADIUS. The Authentication Profile page updates for you to
enter the RADIUS information.
c. In the Server Profile field, select the IdentityGuard profile from the drop-down list.
d. Click the Advanced tab. The Authentication Profile Advanced page appears.

e. Click Add. The following list of domain users appears.
f. Select the All check box.

5. Click OK to close the Authentication Profile page and return to the Palo Alto main page.
6. Click Commit at the top of the Palo Alto main page to save the configuration changes.

Configuring VPN Interfaces, tunnel, and zones
The GlobalProtect portal and gateway are both configured on Ethernet1/2. The GlobalProtect portal and
gateway is the physical interface where the GlobalProtect clients connect. After the clients connect and
successfully authenticates to the portal and gateway, the agent establishes a VPN tunnel from its virtual
adapter, which has been assigned an address in the IP address pool associated with the gateway tunnel.2.
This section contains the following procedures:
 Creating zones for VPN

 Configuring an Ethernet interface for VPN
 Configuring a tunnel interface for Gateway
 Creating a security policy for VPN
 Creating a server certificate
 Creating an SSL/TLS profile
Creating zones for VPN

To create zones for VPN
2. Click the Network tab and then in the navigation pane select Zone.
3. Click Add at the bottom of the page. The Zone page appears.
4. In the Zone page, do the following:

a. In the Name field enter a name for the zone (for example, Corp-zone or Trust).
b. In the Type field select Layer3 from the drop-down list.
c. Select the Enable User Identification check box.
5. Click OK to save the zone and return to the Palo Alto main page and then click Commit.

6. Repeat this procedure to create an Untrust zone.
Configuring an Ethernet interface for VPN

After creating a zone for GlobalProtect, you need to configure an Ethernet interface for GlobalProtect.
To configure an Ethernet interface for VPN

1. In the Palo Alto main page, click the Network tab and then in the navigation pane select Interfaces. The
Network Interfaces page appears.
2. Click the Ethernet tab and then do the following:

a. Click Ethernet1/2. The Ethernet Interface page appears.
b. From the Interface Type drop-down list, select Layer3.

c. From the Virtual Router drop-down list, select Default.
d. From the Security Zone drop-down list, select untrust.
3. Click the IPv4 tab. The IPv4 page appears.

4. In the IPv4 page, do the following:
a. Click Add. The IPv4 page updates for you to enter the IPV4 static IP address.
b. Enter the IPV4 static IP address (for example, 10.10.10.35/24).

5. Click the Advanced tab to create a management profile. The Ethernet Interface advanced options appear.

6. From the Management Profile drop-down list, select New to create a management profile. The Interface
Management Profile page appears.
7. In the Interface Management Profile page, do the following:

a. In the Name field enter a name for the Management Profile.
b. In the Permitted Services list, select the services to allow through management access.
c. Click OK to return to the Ethernet Interface advanced settings page.

8. Select the Untagged Subinterfaces check box.
9. Click OK to return to the Palo Alto main page and then click Commit.
Configuring a tunnel interface for Gateway

To configure a tunnel interface for Gateway
1. In the Palo Alto main page, click the Network tab and then in the navigation pane select Interfaces. The
Interfaces page appears.
2. Click the Tunnel tab and select the tunnel 2 interface.
3. Click Add at the bottom of the page. The Tunnel Interface page appears.

4. In the tunnel Interface page, do the following:
a. Next to Interface Name field, type a number between 1-9999 (for example, 2).
b. Click the Config tab.
c. From the Virtual Router the drop-down list, select a virtual router, for example, Default.
d. From the Security Zone drop-down list, select Trust.
Creating a security policy for VPN

To enable access to your internal resources, you need to create a security policy to enable traffic flow between
the corp-vpn zone and the l3-trust zone.
To create a security policy for VPN

1. In the Palo Alto main page, click the Policies tab and then in the navigation pane select Security.
2. Click Add at the bottom left of the page to add a new rule. The Security Policy Rule page appears.

3. In the Security Policy Rule page, do the following to define the rule:
a. In the Name field enter a name (for example, VPN_Access).
b. Select the Source tab. The Security Policy Rule page updates for you to add as zone source.
c. Click Add at the bottom of the Source Zone. A list of source zones appears.
d. From the Source Zone drop-down list, select Corp-zone.
e. Click Any in the Source Address field to define a destination address.
4. Click the Destination tab. The Destination options page appears.

5. In the Destination options page, do the following:
a. Click Add under Destination Zone. The page updates for you to select a destination zone.
b. From the Destination Zone drop-down list select Untrust.

c. For the Destination Address, select the Any check box.
6. Click the Application tab to specify the application services you want to enable for the remote access user.
The Applications option page appears.

7. In the Applications option page, click Add and search the application services (for example, HTTPS,
RADIUS, LDAP) and then select the applicable services.
Creating a server certificate

You create a server certificate for the interface hosting the GlobalProtect portal and gateway using one of the
following methods:
 Importing a certificate from Entrust

 Generating a certificate from Entrust
To import a certificate from Entrust

1. In the Palo Alto main page, click the Device tab and then in the navigation pane selecy Certificate
Management > Certificates. The Certificates page appears.

2. Select the device certificate and click Import. The Import Certificate page appears.
3. In the Import Certificate page, do the following:

a. In the Certificate File field, click Browse to select the certificate you want to import.
b. From the File Format drop-down list do one of the following:
- If you select Encrypted Private Key and Certificate (PKCS12), select the Private key resides on
Hardware Security Module check box.
- If you select Base64 Encoded Certificate (PEM), you must import the key separately from the
certificate.
c. If a hardware security module (HSM) stores the private key for this certificate, select the Private key
resides on Hardware Security Module check box, go directly to the Passphrase field and enter and
confirm the Passphrase used to encrypt the private key.
d. If the private key for this certificate is not stored on an HSM, you must do the following:

- Select the Import Private Key check box.
- Enter the Key File or Browse to select it.
- Enter and confirm the Passphrase used to encrypt the private key.
4. Click OK. The Certificates page displays the imported certificate.
To generate a certificate from Entrust

1. In the Palo Alto main page, click the Device tab and then in the navigation pane select Certificate
Management > Certificates. The Certificates page appears.
2. Click Generate at the bottom of the page. The Generate Certificate page appears.

3. In the Generate Certificate page, do the following:
a. In the Certificate Name field, enter a certificate name (for example, TestCertificate).
b. In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you
will configure the service that will use this certificate.
c. In the Signed By field, from the drop-down list select the root CA certificate that will issue the certificate.
d. Optionally, select an OCSP Responder from the drop-down list.
e. From the Algorithm drop-down list, select RSA.
f. Select the Number of Bits to define the certificate key length.
g. Select the Digest algorithm.
Note: From most to least secure, the options are: sha512, sha384, sha256 (default), sha1, and md5).
h. In the Expiration field, enter the number of days (default is 365) for which the certificate is valid.
i. Click Generate. The Certificate Information page appears.
4. Click Commit on Palo Alto main page.

Creating an SSL/TLS profile
To create an SSL/TLS profile
1. In the Palo Alto main page, click the Device tab and then in the navigation pane select Certificate
Management > SSL/TLS Service Profile.
2. Click Add. The SSL/TLS Service Profile page appears.
3. In the SSL/TLS Service Profile page, do the following:

a. In the Name field, enter a name for the SSL/TLS service profile.
b. From the Certificate drop-down list, select a certificate
c. From the Min Version drop-down list, select TLSv1.0.
d. From the Max Version drop-down list, select TLSv1.2.

Configuring GlobalProtect Gateway and Portal for IPsec/SSL
VPN
GlobalProtect provides a complete infrastructure for managing your mobile workforce to enable secure access
for all your users, regardless of what devices they are using or where they are located.
GlobalProtect Gateways provide security enforcement for traffic from GlobalProtect agents and apps and the
GlobalProtect portal provides the management functions for your GlobalProtect infrastructure.
This section includes the following procedures:
 Configuring a GlobalProtect Gateway

 Configuring a GlobalProtect Portal
Configuring a GlobalProtect Gateway

To configure a GlobalProtect gateway
2. Click the Network tab and in the navigation pane, select GlobalProtect > Gateways.
3. Click Add to create a new Gateway. The Global Protect Gateway page appears.

4. In the GlobalProtect Gateway page, do the following:
a. In the Name field, enter a name for the GlobalProtect Gateway (for example,
GlobalProtect_Gateway).
b. From the Interface drop-down list, select ethernet1/2.
c. From the IP Address drop-down list, select the ethernet1/2 interface IP address.
d. From the SSL/TLS Service Profile drop-down, select the SSL/TLS Service you created in the section,
Creating an SSL/TLS profile.
e. From the Authentication Profile drop-down list, select Radius server Entrust IdentityGuard.
f. Optionally, customize the Authentication Message that will be shown on the login window.
5. Click the Client Configuration tab. The Client Configuration page appears.
6. In the Client Configuration page, do the following:

a. Select the Tunnel Mode check box
b. From the Tunnel Interface drop-down list, select tunnel.20.
c. Specify the Max User as per the requirements.
d. Select the Enable IPSec check box.

e. In the GlobalProtect IPSec Crypto field, select default from the drop-down.
f. Leave other settings at the default settings.
g. Click OK to return to the GlobalProtect Gateway.
7. On the GlobalProtect Gateway page, click the Network Settings tab. The Network Settings page
appears.
8. Click Add to create a new client entry. A Configs page appears for you to enter the client information.
9. In the Configs page, do the following:

a. In the Name field enter a name for your client.
b. Select a Source User (for example, Any).
c. In the OS field select Any.
10. Select the Network Settings tab. The Network Settings options page appears.

11. Click Add to create an IP Pool for clients and enter an IP address range followed by a dash (for example,
10.10.10.20-10.10.10.30).
12. In the Access Route pane, click Add to create an Access route and enter the interface subnet.
For example, if you have ethernet1/2 interface the IP address 10.10.10.35 with /24 subnet, then you need to
enter here subnet IP as 10.10.10.0/24.
13. Click OK to return to the GlobalProtect Gateway page.
14. On the GlobalProtect Gateway page, click the Network Services tab.
15. For the Network Services options, do the following:

a. From the Inheritance Source drop-down list, select none.
b. From the Primary DNS drop-down list, select the DNS IP address.
c. Optionally, from the Secondary DNS drop-down list, select the IP address for the secondary DNS.

Configuring a GlobalProtect Portal
To configure a GlobalProtect Portal
2. Click the Network tab and in the navigation pane, select GlobalProtect > Portals.
3. Click Add to create a new Portal. The GlobalProtect Portal page appears.
4. In the GlobalProtect Portal page, do the following:

a. In the Name field enter any name for the Portal.
b. From the Interface drop-down list, select the ethernet1/2 interface.
c. From the IP Address drop-down list, select the ethernet1/2 interface IP address.
d. From the SSL/TLS Service Profile drop-down list, select the SSL/TLS service profile you created in
Creating an SSL/TLS profile.
e. From the Authentication Profile drop-down list select, IdentityGuard.
f. Optionally, in the Authentication Message field, modify the login page message.
g. Select the Client Certificate from the drop-down list.
h. Optionally, select the Certificate Profile from the drop-down list.
i. Do not select the Disable Login Page check box.
j. Leave the other settings at the default values.
5. Click the Agent Configuration tab. The Agent Configuration page appears.
6. Click Add at the bottom of the page The Configs page appears.
7. In the Configs page, do the following:

a. In the Name field, enter a portal name, for example, VPN_Portal.

b. Select the Use single sign-on (Windows only) check box.
c. From the Connect Method drop-down list, select user-logon (Always On).
d. From the Client Certificate drop-down list, select the certificate.
e. Leave other settings at the default values.
8. Click the Gateways tab. The Gateways Configs page appears.
9. In the Gateways Configs page do the following:

a. Click Add under External Gateways. The Gateway Configs page updates so that you can enter the
External Gateways information.
b. In the Name field, enter a name for the gateway, for example IdentityGuard.
c. In the Address field, enter the IP address of ethernet1/2.
d. Select the Priority as Highest.
e. Select the Manual check box.

f. Click OK. You are returned to the GlobalProtect Portal page.
10. Click OK to close the GlobalProtect Portal page and return to the Palo Alto main page and then click
Commit.
You have now configured GlobalProtect Gateway and GlobalProtect Portal for GlobalProtect Client.
Configuring static route

Configure the static route to reach the subnets within the corporate network from where the administrator or
user can access the Palo Alto admin page or Palo Alto GlobalProtect client page.
To configure the network subnet to allow traffic for all the networks and VLANs
2. Click the Network tab and in the navigation pane, select Virtual Routers > Default.
3. Select the check box next to default. The Virtual Router Default page appears.

4. In the Virtual Router Default page, do the following:
a. Click the Static Routes tab.
b. Click Add. The Static Route page appears for you to enter the static route values.
c. In the Name field, enter a name for the static route.

d. In the Destination field, enter the network subnet IP address (for example, if you have different VLANs
with network IP address 10.10.20.1/24, 10.10.30.1/24, 10.10.40.1/24…etc., then you need to enter the
subnet IP address as 10.10.0.0/16).
5. Click OK to save the changes and return to the Palo Alto main page and then click Commit.
Deploying and configuring GlobalProtect Client

To download and configure GlobalProtect Client on client PC
1. Open a Web browser on the client computer.
2. Enter the <https://my.company.com> or <https://10.10.10.35> IP address. You are presented
with the GlobalProtect login window.
3. Enter the Active Directory username and password.

4. Click Logon. You are brought to the GlobalProtect Portal download page.
5. Click Download Windows GlobalProtect agent.

Note: Select the GlobalProtect Agent download appropriate for the version of Windows running on the client
computer.
The following download page appears.

6. Double-click to open the downloaded GlobalProtect Agent.
7. You are prompted to install the GlobalProtect Agent. Select Yes.
Configuring Entrust IdentityGuard Radius server with VPN server

This section includes procedures for configuring one-step and two-step authentication in Entrust IdentityGuard
Radius Server.
This section includes the following topics:
 Configuring Entrust IdentityGuard Radius server for one-step authentication

 Configuring Entrust IdentityGuard Radius server for two-step authentication
 Configuring TVS authentication for Entrust IdentityGuard Radius server
Configuring Entrust IdentityGuard Radius server for one-step

authentication
To set up Entrust IdentityGuard Radius Server for one-step authentication
1. Log in to Entrust IdentityGuard Properties Editor for one-step authentication settings. The Table of
Contents page appears.
2. Select VPN server Configuration from the table of contents. The VPN Server Configuration fields
appear.
3. In the VPN Server Configuration section, complete the following:

a. Enter the name of the VPN host and then click Add.
b. For VPN Host, enter the hostname or the IP address of the Palo Alto Management interface.
c. For VPN Shared Secret, enter the same shared secret you entered when you configured the AAA
radius server on Palo Alto and select the Encrypt check box.
d. For Outgoing Messages to VPN Server Require Message-Authenticator, select True.
e. In the IP address Radius Attribute ID drop-down list, select the default.

a. Scroll until you see the First-Factor Authentication Method.
b. Select the First-factor Authentication Method to use in one-step Entrust IdentityGuard Password or
Token.
c. Select True for Only Perform First-factor Authentication.
5. Scroll down and click Validate & Save.
6. Restart the Entrust IdentityGuard services for the changes to take effect.
Configuring Entrust IdentityGuard Radius server for two-step

authentication
To configure Entrust IdentityGuard Radius Server for two-step authentication
1. Log in to Entrust IdentityGuard Properties Editor for two-step authentication settings. The Table of
Contents page appears.

2. Select VPN server Configuration from the Table of Contents. The VPN Server Configuration fields
appear.

a. Enter the name of the VPN host and then click Add.
b. For VPN Host, enter the hostname or the IP address of the Palo Alto Management interface.
c. For VPN Shared Secret, enter the same shared secret configured during AAA radius server on Palo
Alto and select the Encrypt check box.
d. For Outgoing Messages to VPN Server Require Message-Authenticator, select True.
e. In the IP address Radius Attribute ID drop-down list, select the default.

a. Scroll until you see the First-Factor Authentication Method.
b. From the First Factor Authentication Method drop-down list, select No First-Factor Authentication.

c. For Only Perform First-Factor Authentication, select False.
5. Click Validate & Save.
6. Restart Entrust IdentityGuard services for the changes to take effect.

Note: Palo Alto firewall only supports CHAP authentication protocol.
Configuring TVS authentication for Entrust IdentityGuard Radius Server

To configure TVS authentication for Entrust IdentityGuard Radius Server, you need to first activate a mobile
soft token on your mobile device and then configure TVS for use by Entrust IdentityGuard.
Complete the following procedures to configure TVS authentication:
 “To configure TVS authentication in Entrust IdentityGuard and activate a mobile soft token on your
mobile device”
 "To configure TVS Authentication using the Entrust IdentityGuard Properties Editor"
To configure TVS authentication in Entrust IdentityGuard and activate a mobile soft token on your
mobile device
1. Validate the transaction component and callback settings. (See the topic "Transaction Component and
Callback Settings" in the Entrust IdentityGuard Radius Server Administration Guide).
2. Validate the licensing required to perform TVS authentication transactions by doing the following:
a. Validate transaction verification with soft tokens license. (See the topic "Verification with Soft Tokens" in
the Entrust IdentityGuard Radius Server Administration Guide).
3. Validate soft token licenses. (See the topic "Soft Tokens License" in the Entrust IdentityGuard Radius
Server Administration Guide).
4. Activate mobile soft tokens.
 You can do this through the Entrust IdentityGuard Administration Interface. (See the topic "Creating and
Activating a mobile soft token using the Administration Interface" in the Entrust IdentityGuard Radius
Server Administration Guide).
 Alternately, you can activate the mobile soft token using the Entrust IdentityGuard Self-Service Web
site. (See the Entrust IdentityGuard Self-Service Installation and Configuration Guide).
5. Configure mobile soft tokens for second factor authentication. (See the topic Using mobile soft tokens for
second factor authentication" in the Entrust IdentityGuard Radius Server Administration Guide).
To configure TVS Authentication using the Entrust IdentityGuard Properties Editor

1. Log into Entrust IdentityGuard Properties Editor.
The Table of Contents page appears.
2. Click VPN Server Configuration and do the following:
a. Select true to enable MST TVS for Token Authentication. For example,
identityguard.igradius.vpn.<vpnname>.msttvseanbled = true

3. Select true to enable MST TVS Online Fallback. For example,
identityguard.igradius.vpn.<vpnname>.msttvsonlinefallback = true
4. Set the TVS Callback response time out to 35.
Note: Up to 40 seconds can work if the check interval is lower; the default 60 seconds is too long if the VPN
overall timeout is less than 50 seconds). For example,
identityguard.igradius.vpn.<vpnname>.callbacktimeout = 35
5. Set the VPN Request Timeout setting 12. (Slightly higher than each VPN request time out; default is 10
which should be increased). For example,
identityguard.igradius.vpn.<vpnname>.vpnrequesttimeout = 12
6. Click Challenge Cache Settings and do the following:
a. Set Challenge Cache Settings to false for TVS authentication with Entrust IdentityGuard Radius Server.
For standard TVS Entrust IdentityGuard configuration requirements, challenges in Entrust IdentityGuard
must not be cached by using this setting (default is false). For example,
(identityguard.challenge.cache.enabled = false)
7. Click Radius Proxy Configuration and do the following:
a. Set Radius Proxy Callback Host to the hostname of the Entrust IdentityGuard Radius Server server.
This hostname is used by Entrust IdentityGuard to notify it when users complete TVS authentication.
For example
(identityguard.igradius.callback.host) = <IG Radius Proxy Callback host>
8. Set the Radius Proxy Callback Port to the port of the Entrust IdentityGuard Radius Server server. This
port is used by IdentityGuard to notify it when users complete TVS authentication. For example,
(identityguard.igradius.port) = <IG Radius Proxy Callback Port)
9. Set the Callback Queue Check Interval to 2. For example,
identityguard.igradius.callback.checkinterval = 2
10. Click Validate & Save.
11. Restart the Entrust IdentityGuard services for the change to take effect.
Note: If multiple Entrust IdentityGuard Radius Servers (and Entrust IdentityGuard Radius Server Servers) exist,
then each Entrust IdentityGuard Radius Server needs to be able to communicate with each Entrust
IdentityGuard Radius Server Server (in both directions) to initiate a TVS callback. This requires that you
configure the appropriate host and possibly port settings (default is the local hostname and a random port).
Note: The following is required to enable callback to work successfully.
[callback.checkinterval + <vpnname>.callbacktimeout + <network time to send UDP
Radius request from VPN to IG Radius>] must be LESS THAN [<VPN overall timeout>]

Testing the integration
This section includes the following topics:
 Testing GlobalProtect for one-step authentication

 Testing GlobalProtect for two-step authentication
 Testing GlobalProtect using a PVN with your second-factor authentication response
 Testing GlobalProtect using mobile App soft token for TVS authentication
Note: PAP authentication protocol is not supported by the Palo Alto. The Administrator needs to disable the PIN
change require option in Entrust IdentityGuard server for PVN-based authentication because the challenge
generated requires a PVN update.
Testing GlobalProtect for one-step authentication

To test GlobalProtect VPN for one-step authentication
1. Go to the client PC, double-click to open the GlobalProtect Agent.
Note: (It is assumed that you have already deployed GlobalProtect Agent software to client computer as
outlined in the section, Deploying and configuring GlobalProtect Client).
2. In the Username field, enter the Entrust IdentityGuard username.
3. In the Password field, enter the Entrust IdentityGuard Password/ Temp PIN.
4. Click Apply.
5. In the GlobalProtect page, select File > Enable.

6. A Server Certificate page appears.
7. Click Continue. The GlobalConnect Welcome page appears.

8. Select File > Disable to disconnect the VPN session.
Testing GlobalProtect for two-step authentication

9. Go to the client PC, double-click to open the GlobalProtect Agent.
Note: (It is assumed that you have already deployed GlobalProtect Agent software to client computer as
outlined in the section, Deploying and configuring GlobalProtect Client).
10. In the Username field, enter Entrust IdentityGuard username.
11. In the Password field, enter the Entrust IdentityGuard password.
12. Click Apply.

13. In the GlobalProtect page, select File > Enable. A Server Certificate page appears.
14. Click Continue. You are prompted to enter the second factor authentication response.
15. Enter the Second Factor authentication response. The challenge depends on the type of second factor
authentication you have configured in Entrust IdentityGuard Radius Server.
Once you are connected, the GlobalProtect Welcome page appears.

16. Select File > Disable to disconnect the VPN connection.
Testing GlobalProtect using a PVN with your second-factor

authentication response
When using tokens with a PVN, see the information about using a token in the Entrust IdentityGuard
Administration Guide. When using the Radius proxy, PVNs are specified as part of the token or grid response.
For example, if your PVN is 1234, and the token response is 94167505, the combined Radius password is
entered as: 123494167505 (PVN first, followed by token response). The PVN and grid response are combined
similarly.
Note: The PAP authentication protocol is not supported by the Palo Alto, whereas PVN update only is supported
using PAP or EAP-GTC.
Testing GlobalProtect using mobile App soft token for TVS

authentication
To test the authentication type soft token for user in Entrust Identity Guard server
1. Login with the correct first factor username/password on the Palo Alto VPN client.
2. Launch Entrust OTP Soft Token App on mobile. A soft token screen appears.

3. Select New Transactions on the top menu if you have not received a new transaction notification.
4. Click Confirm.


Radius Integration Entrust

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Radius Integration Entrust

Uploaded by

Copyright:

Available Formats

Technical Integration Guide for Entrust IdentityGuard 10.

2 and Palo Alto Virtual

Document issue: 3.0

Copyright © 2017. Entrust. All rights reserved.

© Copyright 2017 Entrust. http://www.entrust.com

Partner contact information

Supported authentication methods

Authentication method Notes Supported protocols

Password Password authentication is first-factor CHAP, PAP

Radius Radius authentication is first-factor CHAP, PAP

© Copyright 2017 Entrust. http://www.entrust.com

External External authentication is first-factor CHAP, PAP

Grid* Two-step authentication only. CHAP, PAP

Token*1 Entrust IdentityGuard supports both CHAP, PAP

One-time password* One-step supported CHAP, PAP

Knowledge-based The Radius proxy only supports a single CHAP, PAP

Mutual Serial number replay only. CHAP, PAP

Mobile ST2 Mobile Soft Token TVS authentication CHAP, PAP

© Copyright 2017 Entrust. http://www.entrust.com

Integration with Entrust IdentityGuard and a Radius server

© Copyright 2017 Entrust. http://www.entrust.com

VPN authentication with Entrust IdentityGuard follows these steps:

© Copyright 2017 Entrust. http://www.entrust.com

© Copyright 2017 Entrust. http://www.entrust.com

 Allows for a pilot and user feedback.

To perform a phased migration with a parallel authentication resource

Phased migration with a Radius server or Entrust IdentityGuard

© Copyright 2017 Entrust. http://www.entrust.com

To perform a phased migration with a Radius server or Entrust IdentityGuard first-factor

Phased migration with an external resource

© Copyright 2017 Entrust. http://www.entrust.com

© Copyright 2017 Entrust. http://www.entrust.com

© Copyright 2017 Entrust. http://www.entrust.com

 Configuring the Palo Alto Web interface management

Configuring the Palo Alto Web interface management

5. To enable the configuration mode, type configure.

© Copyright 2017 Entrust. http://www.entrust.com

 Configuring LDAP as an AAA Client

© Copyright 2017 Entrust. http://www.entrust.com

Configuring LDAP as an AAA Client

2. Click the Device tab. The navigation pane appears.

© Copyright 2017 Entrust. http://www.entrust.com

5. In the LDAP Server Profile page, do the following:

© Copyright 2017 Entrust. http://www.entrust.com

c. In the Name field enter some name, for example, Group_Mapping.

© Copyright 2017 Entrust. http://www.entrust.com

Configuring Entrust IdentityGuard Radius Server as an AAA Client

© Copyright 2017 Entrust. http://www.entrust.com

Creating an authentication profile for LDAP AAA clients

© Copyright 2017 Entrust. http://www.entrust.com

© Copyright 2017 Entrust. http://www.entrust.com

Creating an authentication profile for RADIUS AAA clients

© Copyright 2017 Entrust. http://www.entrust.com

4. In the Authentication Profile page, do the following:

© Copyright 2017 Entrust. http://www.entrust.com

f. Select the All check box.

© Copyright 2017 Entrust. http://www.entrust.com

 Creating zones for VPN

Creating zones for VPN

4. In the Zone page, do the following:

© Copyright 2017 Entrust. http://www.entrust.com

Configuring an Ethernet interface for VPN

To configure an Ethernet interface for VPN

2. Click the Ethernet tab and then do the following: