PaloAlto Administrator 2FA

I need 2FA for administrator access to PaloAlto firewalls. Not SSO. The user credentials cannot be Active Directory for PCI reasons. The accounts for the administrators will need to be in Duo, and the admins will need to be able to change their passwords. Am I correct this will be a Radius setup ? Which DUO “edition” will I need for this? We have 6 firewall admins that will need this. TIA


Hey @gregfuchs,

You can use RADIUS via the Duo Authentication Proxy application on any Duo Edition.

You’ll want to follow our Palo Alto documentation all the way through the section that describes setting up the Authentication Profile.

Duo can only protect administrator logins that use an Authentication Profile. Not ones that live locally on the appliance.

You can add the Authentication Profile to an existing administrator, or add a new administrator (using sAMAccountName as the username) by going to Device > Administrators > Add.
Select the Authentication Profile that you created earlier to point towards the Duo Authentication Proxy.

One quick callout is that you have the option to change between [radius_server_auto], as seen in our documentation, and [radius_server_challenge]. What gives you is a more interactive UI when logging in, as opposed to an automatic Duo Push.

Let us know if you have any questions, or feel free to email our Technical Support Team at


Hello, I am new to this so excuse my questions in advance.
Has anyone gotten this to work? If so do you have specific instructions to get it setup?
Thank you,