Overview
This document explains how to enable OpenOTP authentication in Palo Alto SSL VPN.
Register your Palo Alto VPN in RadiusBridge
On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf
and add a RADIUS client (with IP address and RADIUS secret) for your Palo Alto VPN server.
Example:
client <VPN Server IP> {
secret = testing123
shortname = PaloAlto-VPN
}
On Palo Alto Admin Interface, Set up a RADIUS Server Profile
Enter the Palo Alto administration interface.
Go to Device → Server Profiles → RADIUS.
Click the Add button, to add a new RADIUS server profile.
Configure the profile settings with:
- Name: OpenOTP RADIUS
- Timeout: 30
- Retries: 0
Under Servers click the Add button to add a RADIUS server.
Configure server settings with:
- Server: OpenOTP
- IP Address: Your RadiusBridge IP address.
- Secret: The secret you have defined in RB clients.conf file.
- Port: 1812
Save the RADIUS server profile.
Create an Authentication Profile
Go to Device->Authentication Profile.
Client the New button to add a new authentication profile.
Configure settings with:
- Profile Name: OpenOTP
- Authentication: RADIUS
- Server Profile: OpenOTP RADIUS
Save the authentication profile.
Configure your SSL VPN with OpenOTP
Go to Network → SSL-VPN.
Edit your VPN profile or create a new one.
Set the Authentication Profile to "OpenOTP".
Save the SSL-VPN profile.
Click the Commit button at the top-right to apply new configurations.
Don't forget to authorize the communication on 1812 UDP port (default RADIUS port for the authentication) from your Palo-Alto system to your WebADM instance at the firewall level.