4. Dual Factor Authentication Using Open Source Solution PrivacyIdea – demo
In this lecture we will see how to configure the Palo Alto Firewall and also configure our lab to use something called Privacy Idea, which allows you to do dual factor authentication with a lot of different types of token including the Google Authenticator that you can have on your phone. So my phone I have something called offy. So basically install this application authy on your phone and then there’s a software called Privacy Idea. The Privacy Idea is a software installed in your Ubuntu machine that allows you to do dual factor authentication against the Google Authenticator. So we’ll couple this with our MPs, Microsoft MPs Server and allow the user to authenticate using a web interface and roll their token and then login to the Palo Alto Firewall Global Protect using the dual factor, their Google Authenticator token. So there’s multiple steps that are involved in this and we’ll first have to basically install the software on our machine.
So log in to the DMZ server and then basically you need to add the repository, switch user first to sudo and then add appt repository PPA. Privacy idea. Privacy idea. Hit enter. The next thing is we will set up the software pseudo app install Privacy Idea app to update, then install Privacy Idea apache two that will set up the web interface, which is yes, it’s 447 mex. So it’s going to take a little bit to install. That’s going to prompt password for the MySQL for the password. And then once it finishes install, we need to add an admin user. We’ll do Pi manage and add super user, put the password in so we have the admin user and then we need to install the pseudo app install well, just app install Privacy Idea radius, that’s the ladies component. So it installed basically free Radius. So it has a Radius server component.
That’s what we’re going to be using to authenticate. And then go ahead and log into your server, the DND server, the Privacy Idea. You’re going to log in with the super user account you created. And then the first thing we have to do is create a realm. We’re going to go ahead here and go to Configure and then we’re going to click on Dev Local and then create new LDAP resolver. And we’re going to point this to our ad server. The base DN is going to be in my case, DC equal lab, DC equal local and then sub three. And then by in DN I’m going to use the NTLM lab, the administrator account cache timeout 120 and then click on Preset Active Directory and click on Test LDAP Server. And then see here it says ten users object found.
So that means it’s connected. And then say resolver. And then we’re going to go to Config and then we’re going to go to policies. We’re going to create a new policy. We’ll give it a name enroll and the rule token label scope is enrollment and then User Realm. Basically the default realm user Resolver is going to be the LDAP resolver and then create policy and then we’re going to create a new policy and this policy will be for authentication, show policy template. This will be so what BRI two is the scope is authentication and this is going to be the authentication portion and we’re going to select here type in authentication. So basically we’re going to select pass through authentication and we’re going to select the user store. If the user has a token it’s going to use the token.
If it doesn’t have a token it’s going to use the active directory password. And then user realm is the default realm and the user resolver is the LDAP. It resolved the user in ad and then we’re going to go ahead and create policy. It doesn’t want to create policy. Create policy, choose the authentication, pass through User Store and then defreal and then LDAP and then create policy. We’re going to basically point the firewall to the MPs server and the MPs server would connect to the Radius server here and then basically authenticate the token. So the next step here is we’re going to have to have the user register. So I’m going to log in as one of the users. Well before we have to do that step, basically we’re going to go to configure and then here we’re going to edit. We’re going to add LDAP so that the user can authenticate against LDAP so they can enroll.
So first is going to be LDAP and then the local. This is for the manager manager to log in and authenticate. We’re going to go ahead and log out and then log in as one of the users here. And then basically user would need to enroll the token. They would select the time based one time password and then click Enroll token and then they will use the authentication, the AUTHI software on their phone and then click Add account and take a scan the code and then they would have the token set up with their account. This is good. So now we register the user. And the next step is we have to configure MPs server to forward to basically be the Radius and Radius server in the middle between the firewall and privacy idea. We’re going to go to MPs and then we are going to go to Radius client and servers and then we’re going to add the remote Radius server.
We’re going to call this privacy Idea and then we’re going to add put the IP address and then authentication. We’re going to put the shared secret and then click okay. Click okay.What would happen is you have the firewall and the firewall is going to be configured with the Radius server. The radio server would be the MPs and then the MPs server would send the request to the privacy idea server. When the user logs in using Global Protect they’re going to be pointed to a Radius authentication profile. Auth profile. The request would come in and the request will come in on the MPs server with the name of the Auth profile. It’s going to get forwarded to the Privacy Idea server. Privacy Idea Server has the user with their token registered. The user will be able to log in with their user ID and token plus token on their phone.
That basically is the entire idea behind this. So this is the dual factor authentication. You can have a second factor by using certificates. But we can talk about this in a different lecture on the Palo Alto Firewall. We’re going to go ahead and create an authentication profile and a Radius server. So here under Device Radius server, I’m going to create a new Radius server. Here GP off second factor and then add the name. Add the server MPs 172 31. This is the MPs server, the domain controller in the lab. And then put the password and then click OK. And then we’re going to go to authentication profile. And then we are going to create a new authentication profile here called GP two factor. And then the type is Radius. The server profile is GP’s second factor.
And then Advanced is pretty much all users allowed and then click okay. Under a portal, we will use that as our authentication GP two factor as authentication profile. And the gateway we’re going to choose also that as our authentication profile. Okay? And then click commit. So when the request comes in to the MPs server, the name of the request is going to be Nas Identifier and this is going to be the authorization profile name and Palo Alto Firewall. So I’m going to add this because I was using the other one for testing. So NASA Identifier and we’re going to give it the same name as we have here, which is on the authentication profile, which is GP two factor and then click OK. And then authentication method, that’s fine. So it’s going to authenticate against the Privacy Idea server, the remote server that we set up here under Ladies Remote server.
And then click Apply and then click okay. And then under network policies, we get to set up a policy. The condition is the nez identifier. We can set up the Nez Identifier here GP two factor. And then you can restrict who can login user groups. So we’ll add here global GP. Gpusers restricted to a group of Gpusers and then click okay, apply, okay. All right. And then on the Super Idea server, we are going to on the Privacy Idea server. I don’t know why I keep calling it super idea. We need to set up the MPs server as a client VIPC pre Radiusclients. com, because the request is going to come into the MPs server. And then from the MPs server it’s going to go to the Privacy Idea server client. We’re going to call this MPs server secret equal IP address equal that’s the IP address of the server. And then service for your ads restart. Now everything is ready. I’m going to go ahead and commit the configuration. Oh, it’s already committed.
So on my machine, I’m going to go ahead on my remote machine here, I’m going to go ahead and try to log in and I’m going to use the MDS user and then put the password on the token from my phone. Disconnected Error so let’s take a look at the log server roles MPs Server okay, so it didn’t match the user. Let me make sure this user is in this group. CPUs group. Going to go ahead and try again. Put the new token 077872 disconnected authentication Failed I’m going to refresh GP two factor there’s identifier let me take a look at the log here. Radius login Restart service view radius Restart all right, let’s make sure everything is set up here correctly. Connection Request privacy Idea Server condition as identifier oh, I’m going to remove this condition and just leave this condition here. Let me try again and then network policies and then try one more time.
Oh, it’s working. Now basically this is the first authentication is for the actual global protect portal and then the second authentication is for the global protect gateway. And then I’m connected. So this is dual factor authentication using tokens and there’s a lot of steps involved. But basically the idea is we’re using the Privacy Idea Server application. It’s a free open source application and this allows you to use the Google Authenticator token and a whole bunch of other token solutions out there. You can make this website to install on the server available for user to register their tokens. And once they register the token, they will be able to log in using their phone token. You don’t need any to spend any money on any other solutions from the outside. It’s basically a free solution that allows you to benefit from everybody having a phone.
5. Joining a windows PC to AWS windows domain – vpn tunnel to AWS
So in order for us to do some more testing on global protect, we need to kind of join a Windows machine to the Amazon instances so we can join to the Amazon domain. So in this case, I have a unit. Lab Palo Alto Firewall and Ethernet one Two has a Windows machine. Ethernet Eleven connects to my network. The management interface connects to my network so I can manage it. And I’m going to create a tunnel to the VPN to the Amazon instance. This way I can connect my machine to the Amazon Instant domain controller and join it to the domain and get a certificate from it because that’s how I’m going to be using it to authenticate the client.
Okay, the first thing we have to do is on the firewall I’m going to create I’m going to basically set up the outside interface to connect one one. In my case, I’m using DHCP. That’s fine. And this is the zone on trust. This is his own trust. And then I have DSP to set up DSP to assign the machine and IP address an Ethernet one two and put the lease here 150. And options. I need to point it to the lab DNS server. So this is going to be primary. DNS is 172 31 215 of the domain controller in the lab. And subnet mask is the default. Gateway is one 8268-152-5250. And you can specify the domain DNS suffix. Two is lab local. So this way the machine can join the domain controller and Amazon that’s that. And then I need to create a tunnel add. I’m going to create tunnel AWS, tunnel interface, ethernet one one. The current IP address that I have for my Amazon instance is this.
So I’m going to put that IP address here. 52 9116 88. 52 9116 88. Give it a pre shared key since I’m behind the net and the AWS is behind the net as well. We’re going to put the aggressive mode and we’ll kind of leave those default. And then I’m going to create an Ipsex tunnel interface. Tunnel interface. I’m going to create a new interface here. Virtual router default. I’m going to consider this a trust zone. And IPV four address. I’m going to give an IPV four address here. 192-16-2124 I gateway crypto profile. I’m going to leave a default proxy IDs. No. Proxy IDs. I’m going to use routing. So virtual router. Route the traffic to my Amazon segment set of routes. 17231, 202-431-2024, tunnel ten. The IP address is 192 162 two. This is going to be my Amazon instance.
And this way when I try to reach my domain controller and Amazon, it basically will trigger the tunnel on the Amazon instance. I’m going to basically set up the same network. I gateway, except I gateway. And Lab powerwall interface is looking at one one local IP address a little bit empty because it’s dynamic. And then peer IP is going to be dynamic preset key. With the preshirt key, I will put a peer identification here. Ftdn fkdn, first name firewall. So I need to put that in my lab firewall. Enable net traversal, change mode, aggressive. That’s fine. Let me go back to the firewall. You have to enable net traversal. And I’m going to specify here local identification lab firewall. And then I’m going to create the IPsec tunnel interface. Lab firewall interface, create tunnel interface here.
Virtual router, default security zone, trust PV four, 1868 two dot 2234. And then I gateway select IIT gateway IPsec crypto profile, spine default. Okay, when you look at the Igate way, make sure aggressive and default enable that. So I’m going to go ahead and commit. And now on my lab machine, I should have gotten an IP address here, verified that I have an IP address status under Policies. I should have policy here, source any destination, any action allow. So I’m going to try to trigger the tunnel thing. 172 31, 215. See if I’m getting any logs. Payload address does not match default gateway years. ID. Let me see here. Okay, so I need to change because it’s behind the net. So I’m going to change this to identification.
The IP address of the firewall pre identification is 107, 23125, 510. If I look at the tunnel, the tunnel is established. So I should be able to ping my domain controller. Let me see why I cannot ping. I don’t have a route. Forgot about the route. Virtual router here. I need to add 100 and 9216-8192-1681-0241-8102-4 the total interface. And next top is 1868 two one and commit that. And as soon as I commit, I should be able to get to that, so I’ll be able to connect. So now that I’m connected, I should be able to join that machine to the my purpose right now is to join this machine to the domain.
So I’m going to go ahead and try to do that. Properties and then change settings, then change. And I’m going to join it to the domain and the lab in the AWS. It looks promising.Okay. And I’m joined, so it’s going to restart. And if I go back and look at my domain controller in AWS, if I go to users and computers, I should be able to see that computer in here. There you go. So that allows me to join that machine to the machine in my home lab, to join it to the AWS domain controller. And this way I can do additional things like give it a certificate and do other things. So.
