Windows NPS (RADIUS) with Palo Alto Networks firewalls

blog.payperitem.com,

Integrating Windows NPS (RADIUS) with Palo Alto Networks firewalls lets you centralize VPN and admin authentication via Active Directory. Here’s a full deep-dive for both GlobalProtect VPN and admin GUI/CLI login with RADIUS + optional MFA.

πŸ” Integration Overview

  • NPS acts as a RADIUS server, authenticating users against Active Directory.
  • Palo Alto is configured as a RADIUS client.
  • Optional: integrate MFA (like Microsoft NPS Extension for Azure MFA, Duo, etc.).

🧱 Windows NPS Configuration

1. Add Palo Alto as a RADIUS Client

  • Open NPS console β†’ RADIUS Clients and Servers β†’ RADIUS Clients
  • New Client:
    • Name: PaloAlto-FW
    • Address: Firewall’s IP (mgmt or tunnel interface depending on use)
    • Shared Secret: Strong password (you’ll use this on Palo)
    • Vendor Name: RADIUS Standard

2. Connection Request Policy

Usually not needed unless you forward requests to other RADIUS servers.

3. Network Policy

  • Go to NPS β†’ Policies β†’ Network Policies
  • Add a new policy for VPN or admin login:
    • Conditions:
      • Windows Group = VPN_Users or PA_Admins
    • Constraints:
      • Authentication Method: MS-CHAPv2, or PEAP
    • Settings β†’ RADIUS Attributes:
      • You can use Filter-Id or Class attributes for Palo Alto role mapping.

πŸ” Example for Role Mapping:

text

Attribute: Class
Value: Admin

πŸ”₯ Palo Alto Firewall Configuration

1. RADIUS Server Profile

Go to Device β†’ Server Profiles β†’ RADIUS β†’ Add:

  • Name: NPS-AD-RADIUS
  • Server: IP of NPS
  • Secret: Match the shared secret from NPS
  • Authentication Protocol: PAP or MSCHAPv2 (MSCHAPv2 preferred)
  • Port: 1812 (default)

2. Authentication Profile

Go to Device β†’ Authentication Profile β†’ Add:

  • Name: RADIUS-NPS
  • Type: RADIUS
  • Server Profile: NPS-AD-RADIUS
  • Username Modifier: %USERINPUT% or %USERDOMAIN%\%USERINPUT% depending on NPS config
  • Allow List: AD groups (optional)

3. GlobalProtect VPN Integration

Go to:

  • Network β†’ GlobalProtect β†’ Portals β†’ [your portal]
  • Under Authentication, use the RADIUS-NPS profile.
  • Do the same under Gateways β†’ Authentication.

Optional:

  • Setup Group Mapping (Device β†’ User Identification β†’ Group Mapping) if you want to use AD group names in firewall policies.

4. Admin Access via RADIUS

Go to:

  • Device β†’ Admin Roles β†’ Create custom roles (e.g., NPS-Admin, ReadOnly)
  • Device β†’ Admins β†’ Add:
    • Name: radius-admin
    • Authentication Profile: RADIUS-NPS
    • Role: Match string in NPS RADIUS attribute (Class or Filter-Id)

e.g., if NPS sends:

text

Class: Admin

Then the admin role name must be Admin.

πŸ›‘οΈ Optional: MFA with NPS

Option 1: Microsoft Azure MFA

  • Install NPS Extension for Azure MFA
  • Auth flow: nginxCopyEditPalo β†’ NPS β†’ AD β†’ Azure MFA

Option 2: Duo MFA

  • Install Duo Authentication Proxy
  • Configure as a RADIUS proxy in front of NPS

πŸ“ˆ Logging & Troubleshooting

On Windows NPS:

  • Event Viewer β†’ Custom Views β†’ Server Roles β†’ Network Policy and Access Services
  • Common event IDs:
    • 6272 = Success
    • 6273 = Failure (check reason code)

Enable NPS logging:

  • Log to file or SQL (for long-term retention)

πŸ§ͺ Test Auth from CLI

On Palo:

bash

test authentication authentication-profile "RADIUS-NPS" username testuser password
Active Directory Registry / Tricks & Tweats Security Windows

Related Posts

VPN server in Azure

Setting up a VPN server in Azure that supports secure access for employees, vendors, and customers requires a carefully planned architecture to address different access levels, security boundaries, and scalability. Here’s a solid approach with Azure-native and custom options, along with a proposed build. πŸ” Goal: 🧱 Solution Overview: Option…

Read More

Leave a Reply