Dual Factor Authentication with O365 for Palo Alto Networks VPN users
Today I visited a client that has been dealing with a recurring issue of failure on dual factor authentication for VPN users (Radius and O365 multi factor authentication).
The signature of the failure was that initially the password was accepted, however, the Phone message didn’t come through to approve access (i.e. the phone didn’t receive the approval to access prompt).
Looking at the config, I placed the firewall in a debug manner:
Debug authentication on debug
Debug authentication on info
Tail follow yes mp-log authd.log
Interestingly, the radius was accepting the first login, but would timeout right afterwards. Thinking about it further, the issue seemed to be related to some communication that was not making it back. So I looked at the source IP of where the firewall was originating the request from and realized that they are using the management interface as a source for TACACS+ and the inside interface for RADIUS – (the Aha moment!). Once the TACACS+ and RADIUS communication source interfaces were matched, everything worked like a champ.
If you have issues configuring the Palo Alto firewalls with dual factor or any other issues, feel free to reach out to me: firstname.lastname@example.org
President and Enterprise Architect