TL;DR : Enable free 2FA using an Ubuntu server, Google authenticator and FreeRadius on service supporting radius authentication.
![](http://wp.12p.no/wp-content/uploads/2020/01/image-23.png)
So, I’ve been messing around with this for a while, and I decided I’d create a post showing how to do it.
Basicly i have a small Ubuntu Server, with Free radius, and Google authenticator module. Using the users defined on the Ubuntu server as allowed-users.
Step1: Start installing the needed tools on the Ubuntu server running this command
![](http://wp.12p.no/wp-content/uploads/2020/01/step1.png)
This will install the applications and tools you need. There are different ways of setting up free-radius in terms of the user running the service, but since I hate services running as root I used the freerad user account with lower privlegdes.
Step 2: edit the /etc/freeradius/users file, and add the following:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-1.png)
Step3: edit the /etc/freeradius/sites-enabled/default and remove # before PAM
![](http://wp.12p.no/wp-content/uploads/2020/01/image-2.png)
Step4: edit the file /etc/freeradius/clients.conf. Add these lines to the end. Change the ip-adress allowed andradius secret to whatever you need it to be, I recommend using a password generator…
![](http://wp.12p.no/wp-content/uploads/2020/01/image-14.png)
Then Restart the service: sudo service freeradius restart
Step 5: Then edit the /etc/pam.d/radiusd file to define the google authenticator:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-5-1024x262.png)
Step 6: For each user you need to create a google authenticator token. running the command google_authenticator as each user will guide you trough the process.
![](http://wp.12p.no/wp-content/uploads/2020/01/image-22.png)
A file named .google_authenticator will be created in each users homefolder. We need to move this file in to the freeradius folder under /etc/freeradius/*USERNAME*
Step 6.1: Since we dont use the root user we need to allow the freerad user to access the google authenticator file for the user (the user is named TEST here):
![](http://wp.12p.no/wp-content/uploads/2020/01/image-6.png)
Step 7: Test the setup using radtest:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-7.png)
If the test is successfull you should see this line:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-8.png)
Step 8: Configure the Palo Alto firewall to use the radius server with 2FA for Global Protect VPN:
Go to Device, then Server Profiles, and select Radius. Create new radius profile:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-9.png)
To test the settings, commit and from CLI to the firewall type:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-15.png)
At the passwordprompt type YourPassword+GoogleAuthenticatorCode
![](http://wp.12p.no/wp-content/uploads/2020/01/image-16.png)
For more troubleshooting if this does not work.
tail -f /var/log/auth.log
or
tail -f /var/log/freeradius/freeradius.log
![](http://wp.12p.no/wp-content/uploads/2020/01/image-17-1024x35.png)
Step 9: Go to authentication profile, and add a new
![](http://wp.12p.no/wp-content/uploads/2020/01/image-10.png)
Add this profile to the portal config:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-19-1024x497.png)
Step 10: Test the config
Commit the config, visit the Globalprotect portal externally. Type in username, and in the passwordfield, type thepassword + the google authenticator code.
![](http://wp.12p.no/wp-content/uploads/2020/01/image-18.png)
Step 12: Testing the authentication in the GlobalProtect client
Download and install the client, if you havent done it yet. Add the portal address, your username and password+googleauthenticator:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-20.png)
And you’re logged in
Remember to change password at next logon. I use this settings aswell:
![](http://wp.12p.no/wp-content/uploads/2020/01/image-21.png)
LATER: I will do a turitorial on LDAP integration aswell later.