topic Re: VPN access can be made without credentials After GP 5.2.9 version update in GlobalProtect Discussions

VPN access can be made without credentials After GP 5.2.9 version update

bilal_guclu — Thu, 06 Jan 2022 07:54:04 GMT

Connection problem without credentials in version 5.2.9

We switched from GP 5.2.4 version to 5.2.9 version with transparent update. Windows users report that they can connect directly without entering a password when making vpn connections.

In the global protect > portal > agent configuration, save user credentials section is selected as no.

In the Globalprotect >portal > agent> app configuration, the option to save Windows SSO information is selected as no.

However, windows users using version 5.2.9 can connect directly without entering a username and password.

Anyone have this problem or have a solution ?

Re: VPN access can be made without credentials After GP 5.2.9 version update

Sarc845 — Thu, 06 Jan 2022 08:59:49 GMT

Hi Blilal,

Ive tested this on 5.2.9 and do not see the same problem.

Kindly can you confirm if you have authentication override setup?

Network> Portal/Gateway > Agent > Relevant Agent Config > Authentication > Authentication Override:

If you have this setup it could be that the agent has a cookie and is using the cookie to authenticate.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/about-globalprotect-user-authentication/how-does-the-app-know-what-credentials-to-supply/cookie-authentication-on-the-portal-or-gateway.html

If you do not have this on the portal and gateway I would recommend opening a case with PANW to investigate.

Re: VPN access can be made without credentials After GP 5.2.9 version update

bilal_guclu — Thu, 06 Jan 2022 09:59:49 GMT

Hi,

yes, I override authentication.

The strange thing is that this problem is fixed in authentication, only when I register with the username.

At the same time, when I uninstall the global protect application and reinstall it, it is temporarily fixed and after a while it happens again.

All windows machines that have this problem are in the company domain. I guess somehow it uses global protect by taking the credentials on windows machines from the cache.

I created a case for this situation. I haven't received an answer yet

Re: VPN access can be made without credentials After GP 5.2.9 version update

kinanakelstcs — Thu, 06 Jan 2022 15:18:04 GMT

Do you see SSO login in the agent logs?

Re: VPN access can be made without credentials After GP 5.2.9 version update

Adrian_Jensen — Thu, 06 Jan 2022 21:25:31 GMT

From the system logs, are the users authenticating against the portal or the gateway when reconnecting (or both)? And also what method was the authentication?

Monitor -> Logs -> System -> filter: ( eventid eq globalprotectportal-auth-succ ) or ( eventid eq globalprotectgateway-auth-succ )

"GlobalProtect portal user authentication... Auth type: ????"

Also, I see you that you do not have Components that Require Dynamic Passwords enabled. Seems like the GP client saves and reuses the user creds after a successful connection, regardless if the save creds option is set. If you forcibly logout a user after a period of time this is troublesome... You don't actually seem to need to have a dual auth setup, as the section would seem to imply, to use the dynamic password option. From the note attached "...to authenticate users as opposed to using saved credentials. As a result, the user will always be prompted to enter new credentials..."

Re: VPN access can be made without credentials After GP 5.2.9 version update

bilal_guclu — Fri, 07 Jan 2022 07:08:32 GMT

Hi,

No, ı dont see, but I have already blocked using sso under agent>app

Re: VPN access can be made without credentials After GP 5.2.9 version update

bilal_guclu — Fri, 07 Jan 2022 07:25:33 GMT

Hi,

VPN Authentication is done with ldap. Windows users are included in the domain, they login with ldap.I guess it somehow gets this data from the cache.

Also even though the Auto Restore VPN Connection Timeout duration is selected as 0 min. When these users change wi-fi, they can establish a direct connection without entering a username and password.

Re: VPN access can be made without credentials After GP 5.2.9 version update

JeongHoonKim — Tue, 26 Jul 2022 07:52:55 GMT

Have you solved this issue? We have same issue.

Re: VPN access can be made without credentials After GP 5.2.9 version update

bilal_guclu — Tue, 06 Dec 2022 11:05:17 GMT

No, unfortunately we couldn't. After gp update the problem has not recurred so far.