topic Re: Global Protect with Duo MFA in GlobalProtect Discussions

Global Protect with Duo MFA

Satyak — Tue, 27 Jun 2023 18:46:05 GMT

Hi Friends,

We have configured the duo mfa for global protect users.

We have configured all the requirements for the duo using the below mentioned link.

https://duo.com/docs/paloalto

But still the MFA is not working.

I have some logs related to this but

Can you please help me where we are missing or making a mistake.

Logs :

2023-06-12 13:32:04.800 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2459): Trying to authenticate (init auth): <profile: "DUO-Authentication-Profile", vsys: "vsys1", policy: "", username "rajeev"> ; timeout setting: 25 secs ; authd id: 7243124266353295669
2023-06-12 13:32:04.800 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1112): non-admin user thru Global Protect "rajeev" ; auth profile "DUO-Authentication-Profile" ; vsys "vsys1"
2023-06-12 13:32:04.800 -0700 debug: _get_authseq_profile(pan_auth_util.c:893): Auth profile/vsys (DUO-Authentication-Profile/vsys1) is NOT auth sequence
2023-06-12 13:32:04.800 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for DUO-Authentication-Profile-vsys1-mfa
2023-06-12 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: DUO-Authentication-Profile/vsys1)
2023-06-12 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. (prof/vsys: DUO-Authentication-Profile/vsys1)
2023-06-12 13:32:04.800 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2648): Keep original username, i.e., whatever end-user typed, "rajeev" in request->username
2023-06-12 13:32:04.801 -0700 debug: pan_auth_locklist_response_process(pan_auth_state_engine.c:4358): b_postauth_grpcheck=true, delay allow list check
2023-06-12 13:32:04.801 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1892): Authenticating user "rajeev" with <profile: "DUO-Authentication-Profile", vsys: "vsys1">
2023-06-12 13:32:04.801 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for DUO-Authentication-Profile-vsys1
2023-06-12 13:32:04.801 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: rajeev
2023-06-12 13:32:04.801 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP
2023-06-12 13:32:30.407 -0700 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:263): timeout auth request (authd id=7243124266353295669, username=rajeev) since total elapsed sec 26 >= max allowed secs: 25
2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth timed out
2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4810): Auth FAILED for user "rajeev" thru <"DUO-Authentication-Profile", "vsys1">: remote server 192.168.10.198 of server profile "DUO-Service-Profile" is down, or in retry interval, or request timed out (elapsed time 26 secs, max allowed 25 secs)
2023-06-12 13:32:30.407 -0700 failed authentication for user 'rajeev'. Reason: Authentication request is timed out. auth profile 'DUO-Authentication-Profile', vsys 'vsys1', server profile 'DUO-Service-Profile', server address '192.168.10.198', auth protocol 'PAP', From: 49.14.159.62.
2023-06-12 13:32:30.407 -0700 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_FAILURE auth response for user 'rajeev' (exp_in_days=0 (-1 never; 0 within a day))(authd_id: 7243124266353295669)
2023-06-12 13:32:47.374 -0700 debug: cfgagent_opcmd_callback(pan_cfgagent.c:520): authd: cfg agent received op command from server
2023-06-12 13:32:47.374 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:555): received signal to execute for agent: authd
2023-06-12 13:32:47.374 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1057): Start executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:47.375 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:997): Got admin user "admin" last successful login time: 06/12/2023 11:18:58 ; number of failed attempts since last successful login: 0
2023-06-12 13:32:47.375 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1062): Return: "<last-successful-login-time>06/12/2023 11:18:58</last-successful-login-time><failed-attempts-since-last-successful-login>0</failed-attempts-since-last-successful-login>"
2023-06-12 13:32:47.375 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1063): Finish executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:49.841 -0700 debug: cfgagent_opcmd_callback(pan_cfgagent.c:520): authd: cfg agent received op command from server
2023-06-12 13:32:49.841 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:555): received signal to execute for agent: authd
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1057): Start executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:49.841 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:997): Got admin user "admin" last successful login time: 06/12/2023 11:18:58 ; number of failed attempts since last successful login: 0
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1062): Return: "<last-successful-login-time>06/12/2023 11:18:58</last-successful-login-time><failed-attempts-since-last-successful-login>0</failed-attempts-since-last-successful-login>"
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1063): Finish executing cmd: "show_user_auth_stat_internal"
100%

Thanks and Regards

Satya Kalyan.

Re: Global Protect with Duo MFA

aleksandar.astardzhiev — Wed, 28 Jun 2023 13:44:32 GMT

Hi @Satyak ,

I would say the following seems the cause:

2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4810): Auth FAILED for user "rajeev" thru <"DUO-Authentication-Profile", "vsys1">: remote server 192.168.10.198 of server profile "DUO-Service-Profile" is down, or in retry interval, or request timed out (elapsed time 26 secs, max allowed 25 secs)

It looks like your firewall doesn't have access to the RADIUS proxy, or the proxy is not configured properly and it doesn't reply.

By default PAN FW will use mgmt interface to reach radius server (if you haven't configure service route for it)

- Confirm network connectivity between FW and radius proxy

- Use packet capture to confirm server receive traffic from FW. Is it replying?

Re: Global Protect with Duo MFA

Arnesh — Wed, 28 Jun 2023 13:47:18 GMT

Hi @Satyak ,

From the logs, the firewall does not receive the response from Radius until timeout happens.
2023-06-12 13:32:30.407 -0700 failed authentication for user 'rajeev'. Reason: Authentication request is timed out. <<<<<

I have seen such issues. Please make sure of the following:

1. The Radius server uses PAP, as you have that configured in the Radius Server profile.
2. Check the connectivity between the Radius and firewall management. From management interface, try pinging the Radius server IP.

3. If the above seem to be fine, maybe try increasing the timeout under Device > Radius > <Radius Server Profile>

Please let me know how it goes.

Regards,

Arnesh

Re: Global Protect with Duo MFA

Satyak — Wed, 28 Jun 2023 16:28:57 GMT

Hi Aleksaandar,

There is network connectivity from the firewall to the RADIUS proxy i have checked it by pinging it from the firewall ip to the duo server ip it was pinging

Can you please help me with what filters i need to do a packet capture I mean what should be the source ip and what should be the destination ip

Re: Global Protect with Duo MFA

Satyak — Wed, 28 Jun 2023 16:30:23 GMT

Hi Arnesh,

There is reachability from the firewall to the radius server.

I have tried it by pinging it from the firewall management ip to radius server ip.

Regards,

Satya Kalyan

Re: Global Protect with Duo MFA

TomYoung — Wed, 28 Jun 2023 18:58:46 GMT

Hello @Satyak ,

As @aleksandar.astardzhiev and @Arnesh mentioned, the request is timing out which means the NGFW is not receiving a response from the RADIUS server. The link you posted details how to configure RADIUS MFA with the Duo Authentication Proxy (DAP).

You should troubleshoot on the DAP now.

Launch the Duo Authentication Proxy Manager and verify the proxy is running.
Click the Validate button and verify you have no errors in the right column.
Make sure the client IP, client secret, and port are configured under the [radius_server_auto] section.
Open the C:\Program Files\Duo Security Authentication Proxy\log\authproxy.log file and scroll to the bottom and verify you have received the RADIUS request from the NGFW.

Thanks,

Tom