Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2519
Views
1
Helpful
1
Replies

Paloalto GlobalProtect Portal with DUO and LocalUser Scenario (without AD)

Alexander14
Level 1
Level 1

‎02-15-2020 04:31 AM

Hello everyone!

It is about small task - provide two-factor authentication for 10 employeees with Paloalto NGFW PA-220 for GlobalProtect Portal (web ssl vpn) based on Local User, without AD.
Please, help with wich way is correct : Is it more prefer to use DAG or DAP, or another way?
Because it is no information on Duo-portal:
https://help.duo.com/s/article/4254?language=en_US
As I understood that way is with Palo Alto SAML.
Bu i didn’t found information about how it configure with Local User scenario.

And as a second. if it is with DAG scenario. Is correct that DAG no need white ip, only local ip in DMZ like 172.16.20.73?

Who know, who can help me, please?

Thank.

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎02-20-2020 11:10 AM

The Duo Access Gateway requires an external LDAP, SAML, or OIDC authentication source for primary login. I don’t think that you could use the local user store on the PA as an authentication source for DAG.

The other alternative from Duo is RADIUS, but that also requires an authentication source for the Duo Authentication Proxy. Some VPN appliances let you chain authenticators, so one could use the local users database on the VPN for primary auth, and then add the Duo proxy configured to only perform Duo secondary authentication. Cisco ASA supports this, as does the Pulse Secure SA.

However, my recollection is that PANOS does not chain authenticators, where if the first succeeds then it moves on to the second. I believe that the Palo Alto lets you configure multiple authentication sources, but then uses them for failover, so it will never do a second step off Duo auth after the first step of primary auth succeeds.

It looks like the Duo MFA solution for Captive Portal created by Palo Alto will work with a local database, per the step two callout at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-multi-factor-authentication. You will need to contact Palo Alto support for assistance with that MFA integration, as we didn’t create it.

Good luck!

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents