Paloalto GlobalProtect Portal with DUO and LocalUser Scenario (without AD)

Hello everyone!

It is about small task - provide two-factor authentication for 10 employeees with Paloalto NGFW PA-220 for GlobalProtect Portal (web ssl vpn) based on Local User, without AD.
Please, help with wich way is correct : Is it more prefer to use DAG or DAP, or another way?
Because it is no information on Duo-portal:
As I understood that way is with Palo Alto SAML.
Bu i didn’t found information about how it configure with Local User scenario.

And as a second. if it is with DAG scenario. Is correct that DAG no need white ip, only local ip in DMZ like

Who know, who can help me, please?


The Duo Access Gateway requires an external LDAP, SAML, or OIDC authentication source for primary login. I don’t think that you could use the local user store on the PA as an authentication source for DAG.

The other alternative from Duo is RADIUS, but that also requires an authentication source for the Duo Authentication Proxy. Some VPN appliances let you chain authenticators, so one could use the local users database on the VPN for primary auth, and then add the Duo proxy configured to only perform Duo secondary authentication. Cisco ASA supports this, as does the Pulse Secure SA.

However, my recollection is that PANOS does not chain authenticators, where if the first succeeds then it moves on to the second. I believe that the Palo Alto lets you configure multiple authentication sources, but then uses them for failover, so it will never do a second step off Duo auth after the first step of primary auth succeeds.

It looks like the Duo MFA solution for Captive Portal created by Palo Alto will work with a local database, per the step two callout at You will need to contact Palo Alto support for assistance with that MFA integration, as we didn’t create it.

Good luck!

1 Like