Step 1: Create a DUO account and Protect an Application
- Visit https://signup.duo.com/
- Create your DUO account.
3. Now, log in to the Duo Admin Panel and navigate to Applications.
4. Click on Protect an Application and locate Palo Alto GlobalProtect
5. Click Protect on the far-right to configure the application and get your integration key, secret key, and API hostname.
Step 2: Download and install the Duo Authentication Proxy (on Windows Server)
- Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe.
2. Launch the Authentication Proxy installer on the Windows server which will be DUOP Proxy Server. Click Yes in the popup: Do you want to allow this app to make changes to your device?
3. Click Next.
4. In Choose Components page, check Proxy Manager and click on Install.
5. When completed, click Next
6. Click Finish.
Step 3: Configure the Proxy
- Open the Duo Authentication Proxy configuration file authproxy.cfg which is located in C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
- Enter these info in ad_client:
host=IP address of your domain controller
service_account_username=member username of domain admins
service_account_password=The password corresponding to service_account_username
search_dn=The LDAP distinguished name (DN) of an Active Directory/LDAP container or organizational unit (OU) containing all of the users you wish to permit to log in.
For example:
[ad_client]
host=10.0.0.58
service_account_username=blin
service_account_password=mypassword
search_dn=DC=chicagotech, DC=net
3. Enter configuration info you get from the step 1 and your PA firewall info in radius_server_auto session. For example.
ikey=DSDMN97603NBHYE
skey=vtHYe8ps44cnQ9iLnMuwH89h4eULSWOzHnlmgr9,3m
api_host=api-795KGTY473.duosecurity.com
radius_ip_1=PA firewall management IP
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812
client_ip_attr=paloalto
4. Now, run Duo Authentication Proxy Manager on the Window Server