LastPass offers MFA integration with your GlobalProtect Client VPN or GlobalProtect Portal through SAML integration and using LastPass Universal Proxy.
Follow the instructions below for integration with Palo Alto Network using LastPass Universal Proxy.
- In the Palo Alto Network administrative portal, go to Device > Server Profiles > LDAP and add a new profile. Set a profile name. On the Server List panel, click the “Add” button and set the server name, the Universal Proxy IP address or hostname and the listening port.
- On the right side, select your LDAP server type. Set the Base DN and the Bind DN including the Password. Finally, set the Bind Timeout to 60 seconds and clickon the “Ok” button.
- Next go to Device > Authentication Profile and add a new profile. Set a profile name, then select the Type of authentication profile as LDAP. On the server profile select the LDAP authentication profile that you created on the previous step. Set the login attribute to samAccountName.
- Click on the Advanced tab in the Authentication Profile panel. Click the “+Add” button and select the users that will be authorized by this authentication profile.
- Now switch to the new authentication profile on your GlobalProtect Portals and Gateways. Go to Network > GlobalProtect > Portals, select the portal you’d like to update, click on the Authentication tab, and select the authentication profile recently created.
- Open Network > GlobalProtect > Gateways, select the portal you’d like to update, click on the Authentication tab, and select the authentication profile recently created.
Congratulations! MFA login to Palo Alto Network VPN is ready to use.