Palo Alto Based Departmental & Central VPN concentrators - Manifest Integrated

How does the Palo Alto Networks VPN concentrators work?
Within this system end users can use their NetIDs for VPN access, static or dynamic IP assignment is managed by the departmental admins via Manifest. IAM/Middleware's RADIUS server utilized, which can now provide DUO MFA per VPN termination point. This document helps to describe all the pieces to the puzzle.

A quick graphic on who configures what and who access to what:

URLs for the different environments

End Users

Things Network Services will need before a VPN gateway can be setup

How does https://access.services.wisc.edu know what to display to a user when they login?

What happens when a user logs into https://access.services.wisc.edu?






A quick graphic on who configures what and who access to what:









URLs for the different environments:

 Production and QA Environment Integrated Test Environment(ITE) 
You'll need Middleware to create an ITE account for you
Manifest Environment:  https://manifest.services.wisc.edu
 https://ite.manifest.services.wisc.edu
 
 User Facing Webpage:  https://access.services.wisc.edu
Here's the direct links for when the main landing page above is not displaying the Static IP assignments page:
https://qa.access.services.wisc.edu (to be decomm'd)		 https://ite.access.services.wisc.edu 
 
 RADIUS Environment:
 login.wisc.edu:1812
loginqa.wisc.edu:1812
  logintest.wisc.edu:1812












End Users:

End users can go to https://access.services.wisc.edu (specifically https://access.services.wisc.edu/IPAddress) if they want to self assign a static IP address for each of the departmental VPNs they were given access to.  They'll also be able to log into the same VPN and get a dynamically assigned IP address.  When Network Services staff configures a new VPN, we should always add a pool for dynamic IP assignments. When a user logs in using their NetID (like: bbadger) versus their NetID followed by an underscore and number (like: bbadger_1), the user will get an IP from the dynamic pool configured on the VPN gateway.  If the department is looking for MFA, IAM/Middleware's RADIUS servers support that on a per VPN basis today.  Per group or even user may come at a later time.


 







Things Network Services will need before a VPN gateway can be setup:

  1. A /32 IP for the VPN termination point/NAS-IP on the Palo Alto.  (Should be taken from 144.92.105.0/26.  This range has already been allowed by the firewalls to the RADIUS servers, and shares a secret per NAS-IP)
  2. A RADIUS key from Middleware for your NAS-IP to login.wisc.edu (144.92.105.0/26 already has a secret, see Scott Buckingham or Ryan Larscheidt in Middleware), if one doesn't already exist.  (PROCESS NEEDED)
  3. Certificate for <SOMETHING>.vpn.wisc.edu gateway. (Example: "middleware.vpn.wisc.edu")  Note: CSRs can be created right on the Palo Alto. Name the certificate and CSR the same when importing. ??Should we use *.vpn.wisc.edu instead??
  4. DNS entry for <SOMETHING>.vpn.wisc.edu.
  5. A right-sized subnet for Static IP Assignments - If the department wants to hand out static IPs that is. (Should be taken from 10.134.144.0/20)
  6. A right-sized subnet for Dynamic IP Assignments (Should be taken from 10.130.240.0/20 or 10.134.96.0/19)
  7. Number of VPNs and group names for each VPN from the departmental administrator
  8. A Manifest folder and groups created under "uw:domain:vpn.wisc.edu", using the NAS-IP as the folder name. (See below for more details)
  9. A Manifest group from whomever will control VPN access, this will go in the members tab of the group we create.
  10. Remember to allow user machines to be able to connect to the VPN termination zone.  The VPN users zone will need access as well, but the dept. admin may want to write those firewall rules.  Work with the admin.





Certificate Information/CSR Creation:

  1. You have several options here:
    1. Use the wildcard "vpn.wisc.edu" certificate
    2. Have the department request a certificate and send you the key and certificate.
    3. Generate a certificate for this specific VPN.  See the following for this:
  1. On the Palo Alto where the VPN will live, go to "Device"->"Certificate Management"->"Certificates"
  2. Click "Generate" and use "Certificate Guidelines" below as a guide.
  3. Check the box next to the CSR and click "Export"
  4. Submit the CSR via https://servercertificates.wisc.edu/#!/make-requests
  5. OCS will approve and you should get an email with the certificate.
  6. Download the certificate and possibly root and intermediate certs.  (You will only need the intermediates if they don't already exist on the Palo Alto)
  7. Change the VPN certificate name to be the exact same name as the CSR name in "Device"->"Certificate Management"->"Certificates" on the Palo Alto.
  8. Upload the VPN cert to the Palo Alto via "Device"->"Certificate Management"->"Certificates", click "Import" and select the file.
  9. Create an SSL/TLS Service Profile via "Device"->"Certificate Management"->"SSL/TLS Service Profile"
2018 Certificate Guidelines:
Certificate Name = <SOMETHING>-vpn-wisc-edu_<YEAR>  (Example: middleware-vpn-wisc-edu_2018)
Algorithm = RSA
# of Bits = 4096
Digest = SHA256
Expiration = 730 days
Certificate Attributes:
    • Country = US
    • State = Wisconsin
    • Locality = Madison
    • Organization = University of Wisconsin
    • Department = Office of Cybersecurity
    • Email = Your email address
    • Alt Email = lan@lists.wisc.edu





How does https://access.services.wisc.edu know what to display to a user when they login?

Via https://manifest.services.wisc.edu:

This is done via Manifest groups within sub-folders under "uw:domain:vpn.wisc.edu".  Middleware uses this directory structure to help build the radius configuration file.  Under this folder there are folders that are named using the NAS IP address configured on the Palo Alto.   Within the NAS-IP sub-folder are the groups where the users will live.  Groups names could be basically anything the department requests but some good base ones could be:
  • Admins
  • Users
  • Students
  • Vendors
Some Manifest paths could look something like:
  • uw:domain:vpn.wisc.edu:72.33.6.104:MiddlewareAdmins
  • uw:domain:vpn.wisc.edu:72.33.6.104:SEAdmins
  • uw:domain:vpn.wisc.edu:72.33.6.104:MiddlewareUsers
  • uw:domain:vpn.wisc.edu:72.33.6.104:Vendors
  • uw:domain:vpn.wisc.edu:72.33.6.107:Users

Each Folder (the NASIP IP = Ex: 72.33.6.104) and each Group (Admins, Users, etc...) will have the following associated with them:

  • Contacts:
    • lan@lists.wisc.edu
    • ns-sysadmin@lists.wisc.edu
    • openg@lists.wisc.edu
  • Privileges:
    • Group = "uw:domain:firewall.net.wisc.edu:NS Firewall Group Admins" -> "Admin" and "Update" checked
    • You can remove yourself from the list after the above has been added.
  • Members:
    • This is where you put the Department's Manifest group they have complete control over.  Whomever they put in as members in their Manifest group will be members of this group.
    • Network services could add individual NetIDs to Members of the group we manage, in case we need to test issues they are seeing.
    • Once members have been added it can take up to 15 minutes before changes are reflected in both RADIUS and https://manifest.services.wisc.edu

Adding new VPN groups to https://access.services.wisc.edu  for static vpn assignments


Once the Manifest group "uw:domain:vpn.wisc.edu:<NASIP>:<DEPTGROUP>" has been created, you then have to tell https://access.services.wisc.edu about it.  This is done via the "Manage CIDR" tab on https://access.services.wisc.edu/CIDR After logging into this site and you don't see "MANAGE CIDR" at the top, that means you don't have privileges yet.  Come see Scott Buckingham, ask one of the Network Services Engineers, or the WAMS folks for access.  (See Contacts at the bottom)
  1. Click "CREATE NEW CIDR"
    • "Network Name" = use DNS name of vpn
    • "Subnet Address" = 10.0.0.0
    • "CIDR" = 25  (no "/")
    • NAS IP Address = The IP address you setup for the VPN Gateway/Termination point(https://something.vpn.wisc.edu)
    • "User Manifest Group" = uw:domain:vpn.wisc.edu:<NASIP>:<DEPTGROUP>
    • "Admin Manifest Group" This is a group created by the department for which admins can admin the CIDR, this group must have the following entity Id’s added to the manifest group under "more actions" then choose "edit delivery/connection options"  and then adding

    • https://access.services.wisc.edu/shibboleth

  1.     
  2. Click "CREATE"
  3. Within 15 minutes, assuming the Manifest group has members in it, you should be able to log into the VPN gateway using your NetID or NetID_# to use your statically assigned IP.

What happens when a user logs into https://access.services.wisc.edu?

If the end user belongs to a Manifest group assigned to a subnet on the website, they'll be able to assign themselves multiple static IP addresses for each of the subnets/Dept. VPNs they belong to.  For each IP assigned per CIDR, they'll have a username assigned to it.  The username will be "NetID_1", "NetID_2", etc...  

Once assigned, this site sends the username to IP mappings to Middleware, where a script is run to populate the RADIUS configuration.  Within 15 minutes, the Username to IP mapping will be available for them to use on the respective VPN.

The user would then start up the Palo Alto GlobalProtect Gateway client, point it to the VPN URL and log in.  If they use their "NetID_#" username, they'll get their static IP assigned(assuming they are not already logged in on another machine).  If they use there "NetID" with no "_#" after it, they'll get a dynamically assigned IP.

Palo Alto VPN Configuration

  1. Set the Departmental VSYS to use a specific IP, like their VPN gateway IP.  This will be used as the NAS-IP when speaking to RADIUS. (NOTE: DO NOT Change the Global service route config for radius.  NOTE make the change under the Virtual Systems TAB):
  2. Add RADIUS server for specific Department VSYS
    1. Profile Name = "login.wisc.edu-vsys#"
    2. Location = Select Department VSYS
    3. Timeout = 60 (Default is normally 3 seconds, but for MFA, we need to give the user time to approve/enter MFA token)
    4. Authentication Protocol = PAP
    5. Retries = 3
    6. Servers:
      1. Name = login.wisc.edu
      2. RADIUS Server IP = login.wisc.edu
      3. Secret = get RADIUS secret from the KeePass under the VPN folder.
      4. Port = 1812
  3. Setup Authentication Profile (We have to do 2 of these right now, 1 for the gateway and 1 for the portal, a Palo Alto Bug)
    1. Like:
    2. Name = "<Manifest Group Name>"
    3. TAB: Authentication
      1. Type = RADIUS
      2. Server Profile = select the VSYS RADIUS server for login.wisc.edu
    4. TAB: Advanced
      1. Allow List = "All" or specify the specify the specific group using format "ou=<Manifest Group Name>"
      2. Failed Attempts = 5
      3. Failed Time = 5 min.
  4. Zone Setup
  5. Interface Setup
    1. Loopback for VPN termination
    2. Tunnel for where the VPN users appears after authenticated
  6. Portal Setup
  7. Gateway Setup
  8. Firewall rules to allow VPN termination:
A Rule to allow the service route loopback address to reach the radius server outbound is necessary or the traffic may be blocked by the departmental firewall.
permit from zone VPN-TERM to Untrust  src <loopback used for this VPN> dest ip <campus radius IP>





VPN IP usage:

There is a script on netweb5 that runs daily. "PaloAltoVpnUsers.pl" It fetches who's all been connected to VPN on all of the Palo Altos and places the output into https://aants.net.wisc.edu/cgi-bin/edgeconf/api/vpn/${gateway_ip}/previous_user.json for the DoIT Web developers(WAMS) to consume.  They take this data and store it to keep track of what IPs have been in use. The IPs that have not been in use for more than a year will be returned back to their respective IP Pools.  If you want to view this file on the website. you'll have to know the password (NS Apps teams can help with that) or via netweb5/6.net.wisc.edu:
"fp-ddncsscplat-b380g13-1-node-pri107s-current_user.json -> /var/www/aants/cgi-bin/edgeconf/api/vpn/144.92.254.227/fp-ddncsscplat-b380g13-1-node-pri107s-current_user.1749656702.json"
"fp-ddncsscplat-b380g13-1-node-pri107s-previous_user.json -> /var/www/aants/cgi-bin/edgeconf/api/vpn/144.92.254.227/fp-ddncsscplat-b380g13-1-node-pri107s-previous_user.1749656702.json"







Testing RADIUS and seeing what it returns:

This is a normal request for UW Madison Static IP VPN.  Make sure you run "set system setting target-vsys <vsys#> first.  Otherwise the Palo Alto will source the RADIUS
sjb@DataCenter-Primary vsys1(active)> test authentication authentication-profile UWMadison-static-vpn username sjbuckin_1 password
Enter password : 
 
Target vsys: vsys1
 
Do allow list check before sending out authentication request...
name "sjbuckin_1" is in group "all"
 
Egress: No service source route is set, might use destination source route if configured
Authentication to RADIUS server at 128.104.254.243:1816 for user "sjbuckin_1"
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 128.104.254.243:1816 for user "sjbuckin_1"
 
 
Authentication succeeded for user "sjbuckin_1"



What users are connected to a specific VPN?

Via an "fp-"firewall device, try the following CLI commands:
  • show global-protect-gateway current-user gateway UWMadison-vpn
  • show global-protect-gateway previous-user gateway UWMadison-vpn
  • show global-protect-gateway current-user gateway UWMadison-vpn user panyard
Example Output:
GlobalProtect Gateway: UWMadison-vpn (1349 users)
Tunnel Name          : UWMadison-vpn-N
        Domain-User Name           : \panyard
        Computer                   : DESKTOP-VHBCUVC
        Client                     : Microsoft Windows 10 Home , 64-bit
        VPN Type                   : Device Level VPN
        Mobile ID                  : 
        Client OS                  : Windows
        Private IP                 : 10.130.188.203
        Private IPv6               : ::
        Public IP (connected)      : 10.138.94.140
        Public IPv6                : ::
        ESP                        : exist
        SSL                        : none
        Login Time                 : Jul.08 12:46:15
        Logout/Expiration          : Jul.09 12:46:15
        TTL                        : 74395
        Inactivity TTL             : 85198
  • How Many users are connected to a VPN?
    • show global-protect-gateway statistics gateway UWMadison-vpn 
GlobalProtect Gateway: UWMadison-vpn:
        Current Users: 1347
        Previous Users: 2145
Total Current Users: 1347
Total Previous Users: 2145

Duo specific settings

In some cases, depending on the version of code, we ran into issues where setting the Radius timeout to 60 seconds wasn't enough and the user didn't have enough time to approve the Duo Push.  We had to adjust the following settings to help.
Version 8.1.13
config portal-timeout value 5
connect-timeout value 5
receive-timeout value 60
global-protect timeout 100
global-protect keepalive 100
The first 3 can be found under Portals of the GlobalProtect section in the Network tab.  The other settings are done via the cli:
set deviceconfig setting global-protect timeout 100
set deviceconfig setting global-protect keepalive 100

Contacts:

Will Kraus and Bret Huesinga from WAMS built the access.services.wisc.edu websites

Ryan Larscheidt and Jon Miner helped get the Manifest groups/folders setup along with setting up some views for the RADIUS scripts.

Ryan Larscheidt wrote some scripts to bring the access.vpn.wisc.edu website and login.wisc.edu together.

Scott Buckingham did the Website and Palo Alto configuration testing.




Keywords:
manifest Palo Alto Networks static dynamic IP assignment department departmental vpn radius NAS NAS-IP paloaltousergroup dept deptvpn access.services.wisc.edu
Doc ID:
74611
Owned by:
Scott B. in Network Services
Created:
2017-07-13
Updated:
2025-06-11
Sites:
NetworkSrvcs-internal, SNCC-internal