topic Re: GlobalProtect Authentication Override in GlobalProtect Discussions

GlobalProtect Authentication Override

Mick.Ball — Wed, 28 Sep 2022 09:52:01 GMT

Been using Radius auth to portal with auth override to gateway for years but seems to now be playing up... Gateway is requesting radius auth and ignoring override settings.

This is the same issue on both Windoze and IOS.

PA 3020 9.1.14

We have no custom checks, just Radius auth (which is working fine)

Many thanks in advance...

Re: GlobalProtect Authentication Override

Adrian_Jensen — Thu, 29 Sep 2022 19:56:29 GMT

Override using a cookie signed on the Portal and accepted on the Gateway? Has the certificate used to encrypt/decrypt the cookie possibly expired?

Re: GlobalProtect Authentication Override

Mick.Ball — Thu, 29 Sep 2022 20:05:11 GMT

Hi Adrian, many thanks for your reply, yes it has expired.. but it has expired on the portal and 6 gateways yet one of the gateways is still accepting the override. This has same settings as all the other 5 gateways that are failing…

Re: GlobalProtect Authentication Override

Adrian_Jensen — Thu, 29 Sep 2022 20:28:30 GMT

How long ago has the cert expired vs. your cookie lifetime? I would think signing a cookie with an expired cert should fail... it is no longer valid after all, but a cookie that was signed before the cert expired might still be valid until the cookie expires.

Look in the logs for the accepted/rejected cookie status. I am not running cookies to auth any longer but when I was the cookie status would show up in the description/error field. It was either in the System logs "( subtype eq auth )" or the GlobalProtect logs "( ( eventid eq gateway-prelogin ) or ( eventid eq gateway-auth ) )", I can't recall.

Re: GlobalProtect Authentication Override

Mick.Ball — Fri, 30 Sep 2022 07:33:30 GMT

The certificate expired years ago, it just seems to use the keys for cookie encrypt/decrypt.

I have added a new cert and portal/gateway on one of the failing devices and still no good.

there are no errors in pa or gp logs. The log output for both is the same if you remove the option to accept cookies.. it just prompts for OTP. It seems to ignore the accept option but it shows as selected when you do show gateway…… on cli.

Re: GlobalProtect Authentication Override

Adrian_Jensen — Fri, 30 Sep 2022 16:31:44 GMT

The only other thing I can think of at the moment is that the firewall and/or client clocks are way out. Are you using NTP/etc. to keep clocks synced to a common time?

Re: GlobalProtect Authentication Override

Mick.Ball — Fri, 30 Sep 2022 16:50:03 GMT

Thanks again for your help Adrian, that was one of the first things I looked into as had a similar issue years ago. We do use NTP and cli time check and dashboard show time is spot on….

I have logged a call with our palo support and they are also struggling for a reason/solution. I’m going to bounce one of the gateways tonight as been up for 135 days…. Clutching at straws but you never know, thanks again for your time.