Establishing two-factor authentication with Palo Alto Networks Firewall and HOTPin authentication server

This document outlines the steps required to integrate the Palo Alto Networks Firewall with Celestix HOTPin two-factor authentication. The following steps are detailed within this guide:

  • Adding users
  • Enabling user self provisioning
  • Configuring RADIUS integration in Palo Alto Networks Firewall
  • Adding Palo Alto Networks Firewall as a RADIUS client in Celestix HOTPin
  • Testing the login process

Steps to Configure Standalone Celestix HOTPin v3.x

Prerequisites
This document assumes you have followed the steps in the HOTPin Quick Start Guide, and either installed HOTPin Server v3.x, or configured your HSA Appliance ready for use. If you haven’t already done so, please refer to the Quick Start Guide to complete this before proceeding.
The Quick Start Guide can be found here: http://www.celestix.com/content/uploads/Celestix-HOTPin-Standalone-Application-QSG.pdf

1. Add RADIUS server which your Celestix HOTPin server is installed, on the Palo Alto Networks firewall.

PAN-1

2. Type in a Profile Name, Server Name, the IP address of your RADIUS server and shared secret. Leave the port default at 1812 unless your RADIUS is using a custom port number. Click on OK when done.

PAN-2

3. Create an Authentication Profile for HOTPin.

PAN-3

4. Type in a name for this Authentication Profile. Add in the users that you want to associate with Celestix HOTPin Two-Factor Authentication. Select Authentication as RADIUS and select the Server Profile which you have created at Step 2. Click OK when done.

PAN-4

5. Create an Authentication Sequence for the Profile.

PAN-5

6. Type in a name for Authentication Sequence. Add the Authentication Profile which you have created at Step 4. Ensure this profile is moved on top. Click OK when done.

PAN-6

7. Add in the username under Administrators. This username must be the same as the database inside HOTPin Users.

PAN-7

PAN-7v1

8. Key in name and select the Authentication Profile created at Step 4. On the dropdown box, select the appropriate role for this user. Leave the rest as default settings. Click OK when done.

PAN-8
Basically, the process can be summarized as follows:
1. Add RADIUS server profile
2. Add Authentication profile
3. Add Authentication Sequence
4. Add Administrators

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
Establishing two-factor authentication with Palo Alto Networks Firewall and HOTPin authentication server, 5.0 out of 5 based on 2 ratings