Skip to content

Configuring Multi-Factor Authentication (MFA) for a Third-party VPN Solution via Accops HyID RADIUS Server

Overview

Accops HyID

Accops HyID is an Identity and Access Management solution designed to safeguard critical business applications and data from unauthorized use by internal and external users by managing user identities and monitoring user access.

The out-of-the-box MFA can be easily integrated with all your modern, legacy, cloud, and on-prem solutions. HyID provides users solid control over endpoints, enabling contextual access, device entry control, and a flexible policy framework. HyID offers multiple interfaces and connectors based on LDAP, RADIUS, and SAML to add MFA to any third-party solutions. HyID provides multiple MFA tokens and factors like SMS, Email, Mobile Apps, Hardware OTP tokens, push notifications to phones or PCs, biometrics, FIDO, and device hardware ID & PKI. The Single Sign-On (SSO) feature provides better security and convenience.

VPN Solution

Palo Alto GlobalProtect (PAGPV) is a VPN solution that connects an organization’s resources through Palo Alto’s NGFW perimeter firewalls. To integrate third-party authentication and MFA solutions, Palo Alto supports multiple authentication protocols, including LDAP/AD, RADIUS, and SAML.

Note

The Palo Alto GlobalProtect (PAGPV) VPN solution has been used purely for demonstration purposes. The user can use any third-party VPN solution.

About this document

This guide provides steps to configure Multi-Factor Authentication (MFA) using HyID for the users who log in through GlobalProtect VPN (hereafter referred to as PAGPV). Use this guide to integrate Accops HyID with RADIUS-enabled network devices like firewalls, proxy servers, switches, routers, or VPNs.

Note

GlobalProtect VPN (PAGPV) is a feature of the Palo Alto Firewall. Throughout the document, we have referred to it as PAGPV.

There are two ways to integrate HyID with PAGPV via RADIUS protocol:

  1. Challenge handshake-based integration for (RADIUS CHAP).
  2. RADIUS PAP-based integration.

This document provides steps to integrate HyID with PAGPV via the RADIUS CHAP protocol. Out-of-band OTP channels include SMS and Emails, Mobile authentication, Hardware Tokens, and Push Notifications.

The document is broadly divided into the following parts:

  1. Configuring HyID and RADIUS server
  2. Configuring the PAGPV
  3. Login through the PAGPV client

Applicable Version

  • HyID Version 5.4 SP6
  • Palo Alto Firewall PAN-OS Version 11.0.0
  • PAGP Client Version 5.2.12-26

Deployment scenario

The diagram shows the most common deployment, in which PAGPV, Accops HyID, and Accops RADIUS servers are deployed within customer premises. Accops DMS is a cloud-based service that sends push notifications to a user’s device.

Network ports requirement

The following ports must be configured between the different components during the configuration and integrations.

From To PORTS PURPOSE PROTOCOL
Admin System Accops Biometric Server (ABS) 8080, 8081 ABS Webapp and API ports for Biometric Enrolment TCP
Admin System Accops HYID nodes [HySecure actual and VIP all 3] 443, 3636, and 22 Accops HYID Administration and Management TCP
Admin System DMS 443 and 22 DMS Administration and Management TCP
HyID gateway Nginx LB/DMS 443 For communication between HyID Gateway and DMS TCP
HyID gateway AD/LDAP 389/636 User authentication TCP
DMS Server Push Notification Broker on AWS 443 For sending Push Notification to user devices TCP
Endpoint DMS 443 Push notification for MFA HTTPS
Internet HyID Gateway 443 Mobile Token registration HTTPS
VPN Solution (Palo Alto) HyID Gateway 1812,1813 MFA RADIUS, UDP

Accops HyID Gateway Configuration

Prerequisites

  1. Active Directory server configured in HyID Gateway as the authentication server.

  2. The Active Directory is the Authentication Server in the HyID Gateway Authentication Domain.

  3. At least one application is published to the user or user group.

  4. Application Access Control List (ACL) configured for the user or user group.

Add the PAGPV device as a RADIUS client

  1. Log in to the HyID Command line console (CLI).

  2. Edit the config file using a vi editor

    > - vi /etc/raddb/clients.conf

  3. Add firewall IP Address above the text client localhost.

    Client x.x.x.x -- Replace X.X.X.X with the IP Address of your firewall

    secret = (MyGoodSecret) -- Configure a strong secret.

    The same secret will be set in the firewall’s radius configuration.

    require_message_authenticator = no

    nas_type = other

  4. Save the file.

  5. Restart the RADIUS service

    > systemctl restart radiusd

Configure HyID Policies

  1. Log in to the HyID Gateway Management Console.
  2. Navigate to Policies > HyID Policies.

  3. Click Add to create a policy and enter the following details:

    1. HyID Policy Name
    2. HyID Policy Type
    3. Priority of the Policy
    4. Authentication Domain
    5. Authorization Server
    6. Policy assignment Type
    7. Enable Two-factor Authentication.
      1. Select the option Mobile Token.
      2. Push Notification
    8. Enable self-service mobile/PC token registration for users.
    9. Enable the option Allow re-activation of same device.

PAGPV Configuration

Prerequisites

An Active Directory server is configured as the LDAP authentication server. For more information, refer to the Palo Alto documentation.

Add HyID Gateway as a RADIUS server

  1. Log in to PAGPV's Management Console.

  2. Navigate to Device > Server Profiles > RADIUS to add a server.

    1. Select Authentication Protocol as PAP.

    2. Enter the HyID Gateway virtual IP Address as the RADIUS Server.

    3. Add a strong secret.

  3. Navigate to Device > Authentication Profile > Add. Enter the details as shown below.

  4. Navigate to Advanced, select all from the ALLOW LIST, and click OK to finish.

  5. Navigate to Network > GlobalProtect > Portals and click on the existing portal to edit the configuration.

    1. Select the option Authentication and click Add.

    2. Navigate to the Authentication Profile, select the RADIUS profile created in the previous step, and provide Authentication details as shown below.

    Make sure RADIUS-Auth is on the top of the list if there are multiple authentication servers.

  6. Navigate to Network > GlobalProtect > Gateways and click the Gateway that is to be updated.

  7. Select Authentication and click Commit to save the changes.

Log in to the Palo Alto VPN client

  1. Launch the Palo Alto VPN client and enter your authentication credentials.

  2. The Palo Alto VPN client will receive a challenge response from the Palo Alto server. Enter the OTP channel. Users will receive OTP on the registered mobile number, email address, mobile authenticator app or initiate push notification.

  3. When the following window appears, enter the OTP or authorize the push notification received on the user’s mobile app.

  4. The Palo Alto VPN client login will be successful.