Skip to content

Configuring MFA for a third-party VPN solution via Accops HyID using LDAP Integration Service (LIS)

Overview

Accops HyID

Accops HyID is an Identity and Access Management solution designed to safeguard your critical business applications and data from unauthorized use by internal and external users by managing user identities and monitoring user access.

HyID provides its users with solid Authentication control over users and endpoints, enabling granular contextual access, device entry control, and a flexible policy framework. HyID offers multiple interfaces and connectors based on LDAP, RADIUS, and SAML to add MFA to any Accops Module or third-party solutions. The out-of-the-box MFA can be easily integrated with all your modern, legacy, cloud, and on-prem solutions. HyID provides multiple MFA tokens and factors like SMS, Email, Mobile Apps, Hardware OTP tokens, push notifications to phones or PCs, biometrics, FIDO, and device hardware ID & PKI. The Single Sign-On (SSO) feature provides better security and convenience.

VPN Solution

The Palo Alto GlobalProtect (PAGPV) VPN solution has been used purely for demonstration. The user can use any third-party VPN solution.

Palo Alto GlobalProtect (PAGPV) is a VPN solution that connects an organization’s resources through perimeter firewalls. To integrate third-party authentication and MFA solutions, Palo Alto supports multiple authentication protocols, including LDAP/AD, RADIUS, and SAML.

About this document

This guide provides steps to configure Multi-Factor Authentication (MFA) using HyID for the users who log in through GlobalProtect VPN (hereafter referred to as PAGPV) using LDAP Integration Service (LIS) with a choice of out-of-band OTP channels like Mobile Authenticator, PC, and Hardware Tokens.

Note

  1. GlobalProtect VPN (PAGPV) is a feature of the Palo Alto Firewall. Throughout the document, we have referred to it as PAGPV.
  2. The document can be used as a reference guide to integrate Accops HyID for 2FA with any network device that supports LDAP, such as a firewall, proxy server, switch, router, or secured gateway.

The document is divided into the following sections:

  1. Configuring HyID and LDAP Integration Service (LIS)
  2. Configuring the PAGPV and LDAP server
  3. Registering for a mobile token with Accops Gateway

  4. Login through the PAGPV client

    Note

    We have used the Accops HyID mobile app to acquire an OTP for demonstration purposes. You can use any third-party hardware token of your choice.

Applicable Version

• HyID Version 5.4 SP6

• Palo Alto Firewall PAN-OS Version 11.0.0

• PAGP Client Version 5.2.12-26

Deployment and Dataflow

The diagram below shows the most common deployment: PAGPV or Applications, Accops HyID, and Accops LDAP/AD servers are deployed within customer premises. The endpoints access the PAGPV or Applications over the Internet.

Network ports requirement

The following ports must be configured between the different components during the configuration and integrations.

From To Purpose Port No. Protocol
HyID Gateway AD / LDAP User authentication 389/636 LDAP
HyID Gateway DMS Push notification 443 HTTPS
Admin PC HyID Gateway Admin Management login 443 HTTPS
User PC Palo Alto VPN VPN connection 443 HTTPS
Internet HyID Gateway Mobile Token registration 443 HTTPS

Accops HyID Gateway Configuration

This section will configure the HyID Gateway from the Management Console and Command Line Interface (CLI) of the HyID Gateway.

Prerequisites

  1. The Active Directory server configured in the HyID Gateway as the authentication server.

  2. Active Directory is set as an Authentication Server in the HyID Gateway Authentication Domain.

  3. At least one application should be published to the user or user group.

  4. The application Access Control List (ACL) should be configured for the user or user group.

Configure Accops LDAP Integration Service (LIS)

  1. Log in to the HyID Gateway Management console.

  2. Navigate to Settings > Services Config > LIS Configuration.

  3. Configure LIS as mentioned below. The values are for representative purposes only.

    1. Application Display Name: Enter a unique identifier.
    2. Admin User: Enter the admin user id.
    3. Proxy for Authentication Domain: Select HySecure Domain from the drop-down list. Here, HySecure is configured with Default as the first HySecure Authentication Domain.
    4. Connect To: Specify the authentication server to be used for authentication.
    5. Additional MFA enable: Select to enable 2FA. Only mobile tokens are supported.
    6. Allow OTP in password: Ensblr thid option to allow the OTP in password..

  4. Click Submit to save the configuration.

Configure HyID Policy

  1. Login to the HyID Gateway Management Console and navigate to Policies > HyID Policies.

  2. Click Add to create a policy and enter the following details:

    1. HyID Policy Name: Enter a unique policy identifier.

    2. HyID Policy Type: Select the policy type as HySecure from the drop-down menu.

    3. Priority of the Policy: Select the priority level from the drown-down menu. Select priority as 1. Change if you have multiple HyID Desktop Agent type HyID policies.

    4. Authentication Domain: Select the HySecure authentication domain where you have added your authentication servers.

    5. Authorization Server: Select the authorization server from which the user will get authorized.

    6. Policy assignment Type: Select the appropriate option as required by All Users, User Groups, and Organizational Units.

    1. Enable Two-factor Authentication.

    1. Select the option Mobile Token.

    2. Enable Push Notification.

    3. Enable self-service mobile/PC token registration for users.

    4. Allow re-activation of the same device.

Configure Palo Alto Global Protect VPN (PAGPV)

This section describes the configurations to be done through the PAGPV management console.

Configure HyID Gateway as an LDAP server

  1. Access the PAGPV management console.

  2. Navigate to Device > Server Profiles > LDAP to add an LDAP server.

  3. Enter the LDAP Server Profile as shown in the screen below.

    Note

    The user specified for Bind DN should be the same as the one selected in the HySecure LIS configuration admin user.

Add Authentication Profile

  1. Navigate to Device > Authentication Profile > Add.

  2. Enter Authentication details as shown here.

    Note

    Under Server Profile, select the LDAP server created in the steps above.

  3. Go to Advanced, add all to the ALLOW LIST, and click OK to save the changes.

  4. Under Client Authentication, enter the values shown on the screen below.

Configure authentication in GlobalProtect Portal

  1. In the GlobalProtect management console, navigate to NETWORK > GlobalProtect > Portals and click the portal to be updated.

  2. Select Authentication and click Add.

  3. Enter Authentication details as shown below.

Note

Under Authentication Profile, select the profile created in the above step.

  1. If multiple authentication servers exist, ensure HySecure-LDAP-Auth is at the top of the list.

  2. Click OK and Commit to save configuration changes.

Register mobile token with Accops HyID Gateway

  1. Access Accops HyID Gateway from a browser and enter your Active Directory credentials.

  2. Click Register Mobile Token to register.

  3. Download the Accops HyID application on your Android or iOS device and scan the QR Code displayed on the HyID Gateway portal.

Log in to the Palo Alto VPN Client

  1. Launch the Palo Alto VPN client.

  2. Your unique OTP will be displayed on the PC, mobile app, or hardware token device. Enter the credentials in the OTP.ADcredentials format.

  3. You should be able to log into the GlobalProtect VPN successfully.