GlobalProtect with DUO using U2F Token



I’m looking for a way to find out how to configure a second factor as U2F Token using GlobalProtect of Palo Alto Networks.

First of all, I’d tested it with passcode as a second factor provided by DUO, and it worked well.
(Local authentication first, and authenticated by passcode)

However, I don’t have any U2F Token, so I didn’t test with it.

When I was using passcode, I put <radius_server_duo_only>'s attributes, such as ikey, skey, api_host, radius_ip, and radius_secrect.

I want to know that is there any changes in the ‘authproxy’ file for using U2F Token.

If someone tested with U2F Token before, would you help me to figure out how to do it?

or just tell me there’s no need to be changed any configuration of the file.

I’m looking forward the answer.


Hey Fernando, thanks for using Duo. To answer your question about the Authentication Proxy configuration file, you do not need to change anything in it in order to use U2F tokens.

However, as Duo’s Palo Alto GlobalProtect integration does not use the Duo Prompt, you could not use the token in U2F mode to complete two-factor authentication.

If you are using a token with OTP code functionality, you may be able to enroll it in Duo and use it as a passcode generator to concatenate with your password when logging in.