Authentication Policy and Multi-Factor Authentication

To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. Authentication policy provides the benefit of letting you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA ) is particularly useful for protecting your most sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before accessing critical financial documents. To reduce the frequency of MFA challenges that interrupt the user workflow, you can specify an authentication timeout period during which a user responds to the challenges only once for repeated access to services and applications.
The MFA factors that the firewall supports include Push, Short Message Service (SMS), Voice, and One-time password (OTP) authentication. The firewall integrates with MFA vendors through:
  • APIs—The supported vendors are Duo v2, Okta Adaptive, and PingID. Palo Alto Networks will periodically add or update support for MFA vendor APIs through Applications content updates.
  • RADIUS—The firewall supports all vendors through RADIUS.
  1. Configure Captive Portal in Redirect mode.
    The firewall uses the Captive Portal web form to prompt users for the first authentication factor. The firewall also uses Captive Portal to record the timestamps associated with successful authentication events. The firewall uses the timestamps to evaluate the authentication timeout periods that you set in Authentication policy rules (later in this procedure).
  2. Configure a server profile that defines how the firewall connects to the service that provides the first authentication factor.
    For example, to add an LDAP server profile , select DeviceServer ProfilesLDAP and Add a profile.
  3. Select DeviceServer ProfilesMulti Factor Authentication and Add an MFA server profile for each authentication factor after the first factor.
    mfa_server_profile.png
  4. Select DeviceAuthentication Profile and Add an authentication profile.
    The profile specifies the order in which the firewall evokes authentication factors.
    • First factor—Select the Type and select the Server Profile you configured.
    • Additional factors—Select Factors, Enable Additional Authentication Factors, and Add the MFA server profiles you configured.
      authentication_profile_mfa.png
  5. Select ObjectsAuthentication and Add an authentication enforcement object to associate the authentication profile with a Captive Portal method for authenticating users and for recording authentication timestamps.
    authentication_enforcement_object.png
  6. Select PoliciesAuthentication and Add an Authentication policy rule.
    • For the Destination Address, you can specify the IP addresses of the services and applications (such as servers) that require authentication for users to access them.
      authentication_rule_destinations.png
    • For the Actions, select the Authentication Enforcement object you configured and specify the Timeout period in minutes (default 60) during which the firewall prompts the user to authenticate only once for repeated access to services and applications. The firewall evaluates the Timeout based on the timestamps it recorded for authentication events.
      authentication_rule_actions.png
  7. Customize the MFA login page that the firewall displays to tell users how to respond to MFA challenges—Select DeviceResponse Pages, select MFA Login Page, Export the Predefined response page to your client system, and use an HTML editor to customize the page. When you finish customizing the page, save it with a unique name and Import it back onto the firewall.
  8. Configure a Security policy that allows users to access the services and applications that require authentication, and then Commit your changes.
  9. Verify that the firewall enforces MFA by logging in to your network as one of the users specified in the Authentication rule and requesting a service or application specified in the rule.
    The firewall displays the Captive Portal web form for the first authentication factor.
    captive_portal_login_mfa.png
    After you enter your login credentials, the firewall displays an MFA login page for the next authentication factor.
    mfa_login_user-select-method.png
    After you respond to all the authentication factors, the firewall evaluates Security policy and provides access to the service or application.
    The automated correlation engine on the firewall uses several new correlation objects to detect events on your network that could indicate credential abuse relating to MFA. To review the events, select MonitorAutomated Correlation EngineCorrelated Events.

Related Documentation