Configure Palo Alto Networks VPN to use the Okta RADIUS

This topic describes how to configure the Palo Alto Networks VPN to use RADIUS.

Before you begin

Obtain the common UDP port and secret key values.

Create a RADIUS server profile

  1. Sign in to the Palo Alto Networks Admin Console with sufficient privileges.
  2. Go to DeviceServer ProfileRadius.
  3. Click Add to create a RADIUS server profile.
  4. Enter a unique profile name, and then enter the following profile settings:
    • Timeout (sec): 60
    • Authentication Protocol: PAP
    • Retries: 1
  5. Click Add to create a server. Enter the following server settings:
    • Name: Enter a unique name for the server.
    • Radius Server: Enter the IP address of the server where you installed the Okta Palo Alto RADIUS Agent.
    • Secret: Enter the RADIUS secret that you defined in the Okta RADIUS app.
    • Port: Enter the UDP port that you defined in the Okta Palo Alto RADIUS app.
  6. Click OK.

Create an authentication profile for the Okta Palo Alto RADIUS Agent

  1. Sign in to the Palo Alto Networks Admin Console with sufficient privileges.
  2. Go to DeviceAuthentication Profile.
  3. Click Add to create an authentication profile.
  4. Select the Authentication tab.
  5. Use the default settings except for the following items:
    • Type: Select RADIUS.
    • Server Profile: Enter the name of the server profile that you created.
  6. Click OK.
  7. On the Authentication Profile page, select the Advanced tab.
  8. Click Add to assign an Allow List.
  9. Select All.
  10. Click OK.
  11. Click Commit to save the Okta RADIUS authentication profile.
  12. Open the Palo Alto Networks Administrative Shell and test the authentication profile. See the Test the authentication profile section in Troubleshoot the Palo Alto Network VPN integration.

Apply the Okta RADIUS authentication profile to a gateway

  1. Sign in to the Palo Alto Networks Admin Console with sufficient privileges.
  2. Go to NetworkGlobalProtectGateways.
  3. Open your GlobalProtect Gateway.
  4. Select the Authentication tab.
  5. Click Add and then update the Client Authentication settings to use the Okta RADIUS authentication profile that you configured.
  6. Use the default settings except for the following items:
    • Name: Enter a unique name.
    • OS: Select Any.
    • Authentication Profile: Enter the name of the authentication profile that you configured.
    • Authentication Message: Enter appropriate instructions for end users, like "Enter sign-in credentials".

  7. Click OK.

Configure the GlobalProtect Portal to use the Okta RADIUS Authentication Profile

This step applies the same settings that you applied to your GlobalProtect Gateway to the GlobalProtect Portal.

  1. Sign in to the Palo Alto Networks Admin Console with sufficient privileges.
  2. Go to NetworkGlobalProtectPortals.
  3. Open your GlobalProtect Portal.
  4. Select the Authentication tab.
  5. Click Add and then update the Client Authentication settings to use the Okta RADIUS Authentication Profile that you configured.
  6. Use the default settings except for the following items:
    • Name: Enter a unique name.
    • OS: Select Any.
    • Authentication Profile: Enter the name of the authentication profile that you configured.
    • Authentication Message: Enter appropriate instructions for end users, like "Enter sign-in credentials".
  7. Click OK.
  8. Click Commit to save the Okta RADIUS configuration.