¶ VPN PaloAlto OTP
¶ OTP
One time password (OTP) authentication is one of the forms of the user's identity verification, based on providing a one-time password or code by the user logging into the network. OTP can function as a stand-alone form of verification, as well as in addition to the traditional forms.
OTP configuration for PaloAlto allows for an extremely well-secured connection to the network via VPN. The first stage of verification is to check the user's credentials in the local NACVIEW database or in an external database (e.g. Active Directory). The 1st stage, once done, is followed by the next one - based on a message sent to the user with a verification code. To connect to the network, the user enters the received code into the GlobalProtect application.
¶ How to configure OTP support for PaloAlto?
1. In the PaloAlto system open Device > Server Profiles > Radius and click the Add button at the bottom of the page.
2. Complete the displayed fields as shown on the screen below. Confirm by clicking Ok.
3. Go to: Device > Authentication Profile and click: Add. Now configure the settings according to the data on the screen down below.
4. Go to the Advanced tab and, in the Allow List field, add the all value. Confirm it with OK.
5. Go to Network > GlobalProtect > Portals and click Add.
6. Give a name and network parameters for the portal that is being created.
7. Go to the Authentication tab and there, in Client Authentication field***,*** click Add.
8. Complete these fields: Name, OS and Authentication Profile, as in the screenshot below. Confirm by clicking OK.
9. Now go to the Agent tab and click Add.
10. Enter any name, then select No or Save Username Only in the Save User Credentials field, and next: select all available checkboxes in the Components that Require Dynamic Passwords (Two-Factor Authentication) section.
11. Go to the App tab. Find Use Single Sign-on (Windows Only) in the table and set this parameter to No. Confirm all open windows by clicking OK.
12. Go to the NACVIEW system. Open the menu and select Network Devices.
13. Click Add new item.
14. Complete the fields: IP address, Radius communication Key (available after clicking the Change/set password button), OTP options (drop-down list at the end of the form), entering all data for the PaloAlto system.
15. Save the set values.
For the OTP service to work properly, you must also configure the SMS Gateway in NACVIEW. To do this, use the SMS Gateway tutorial in the Instructions section on our website. Manual available after logging in.
More detailed information about the sections and elements of the NACVIEW system can be found in the Administration Guide document.