Global Protect MFA Looping

Carson1998 — Thu, 19 Oct 2023 03:01:37 GMT

Hello, I am facing a weird issue with Global Protect where after a user authenticates via Okta Radius to the Portal and enters their MFA SMS Key the GP Agent asks for the user to enter the MFA SMS Key again with the response of ('A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.'). Due to this users are unable to authenticate to the portal successfully. From the OKTA logs, I show successful end-to-end authentication, however, GP Monitor Logs show that the authentication response was empty or invalid. I have also pasted mp-auth-logs from Portal/Gateway below:

mp-auth-logs from Portal/Gateway

2023-10-18 20:35:03.131 -0500 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: first.last@domain.com

2023-10-18 20:35:03.131 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP

2023-10-18 20:35:03.131 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:442): added challenge state to access request of length 152

2023-10-18 20:35:03.843 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:284): resp_code = RAD_ACCESS_ACCEPT

2023-10-18 20:35:03.843 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:317): reply msg = Welcome first.last@domain.com!

2023-10-18 20:35:03.843 -0500 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1684): Got response for user: "first.last@domain.com"

2023-10-18 20:35:03.843 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth success

2023-10-18 20:35:03.843 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4575): Authentication success: <profile: "auth-radius-profile", vsys: "vsys1", username "first.last@domain.com">

2023-10-18 20:35:03.843 -0500 authenticated for user 'first.last@domain.com'. auth profile 'GP-Auth-Sequence', vsys 'vsys1', server profile 'okta-radius-profile-1', server address 'X.X.X.X', auth protocol 'PAP', reply message 'Welcome first.last@domain.com!' From: X.X.X.X.

2023-10-18 20:35:03.843 -0500 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_SUCCESS auth response for user 'first.last@domain.com' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7283618077013479186) (reply message 'Welcome first.last@domain.com!')

2023-10-18 20:35:04.099 -0500 debug: pan_auth_request_process(pan_auth_state_engine.c:3617): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 36578, body length 2448

2023-10-18 20:35:04.099 -0500 debug: _authenticate_initial(pan_auth_state_engine.c:2459): Trying to authenticate (init auth): <profile: "GP-Auth-Sequence", vsys: "vsys1", policy: "", username "first.last@domain.com"> ; timeout setting: 115 secs ; authd id: 7283618077013479188

2023-10-18 20:35:04.099 -0500 debug: _get_auth_prof_detail(pan_auth_util.c:1112): non-admin user thru Global Protect "first.last@domain.com" ; auth profile "GP-Auth-Sequence" ; vsys "vsys1"

2023-10-18 20:35:04.099 -0500 debug: _get_authseq_profile(pan_auth_util.c:893): Auth profile/vsys (GP-Auth-Sequence/vsys1) is auth sequence

2023-10-18 20:35:04.099 -0500 debug: _populate_authseq_auth_vec_n_vsys_vec(pan_auth_util.c:835): auth sequence "GP-Auth-Sequence" enabled flag: use-domain-find-profile

2023-10-18 20:35:04.099 -0500 debug: _has_domain_in_request(pan_auth_util.c:766): Extracted domain info "domain.com" from user name "first.last@domain.com"

2023-10-18 20:35:04.099 -0500 debug: _populate_authseq_auth_vec_n_vsys_vec(pan_auth_util.c:842): can not find auth profile in auth sequence "GP-Auth-Sequence", which has domain "domain.com"2023-10-18 20:35:04.099 -0500 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for auth-radius-profile-vsys1-mfa

2023-10-18 20:35:04.099 -0500 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: auth-radius-profile/vsys1)

2023-10-18 20:35:04.100 -0500 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. (prof/vsys: auth-radius-profile/vsys1)

2023-10-18 20:35:04.100 -0500 debug: _authenticate_initial(pan_auth_state_engine.c:2636): Using auth seq, saving original username first.last@domain.com from request

2023-10-18 20:35:04.100 -0500 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:571): This is a single vsys platform, group check for allow list is performed on "vsys1"

2023-10-18 20:35:04.100 -0500 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1892): Authenticating user "first.last@domain.com" with <profile: "auth-radius-profile", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "GP-Auth-Sequence", vsys "vsys1">

2023-10-18 20:35:04.100 -0500 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for auth-radius-profile-vsys1

2023-10-18 20:35:04.100 -0500 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: first.last@domain.com

2023-10-18 20:35:04.100 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP

2023-10-18 20:35:06.267 -0500 debug: _log_radius_state(pan_authd_radius_prot.c:556): Got challenge state: "ah9wTZBpbVx1AMGNqbjB4UlRSbFC0HrBk6SqqYey8sD4K5VeLflDIQ6kK96RuXhOQb80KNWj8BJjPFGzIOwE+ekD2zVw+SOyS2bcCdmgKDev9Wfchgt6GmLdLMJIY6p32Hk4PQngFhmSgr9zpHHwGA==" of size 152

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:292): resp_code = RAD_ACCESS_CHALLENGE

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:314): challenge state = ah9wTZBpbVx1AMGNqbjB4UlRSbFC0HrBk6SqqYey8sD4K5VeLflDIQ6kK96RuXhOQb80KNWj8BJjPFGzIOwE+ekD2zVw+SOyS2bcCdmgKDev9Wfchgt6GmLdLMJIY6p32Hk4PQngFhmSgr9zpHHwGA==

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:317): reply msg = A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.

2023-10-18 20:35:06.267 -0500 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1684): Got response for user: "first.last@domain.com"

2023-10-18 20:35:06.267 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth challenged

2023-10-18 20:35:06.267 -0500 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_CHLNGE auth response for user 'first.last@domain.com' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7283618077013479188) (reply message 'A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.')

Here are a few details regarding my setup and Portal/Gateway:

- Running 10.2.6 PanOS

- Running 6.1.0 and 6.0.7 GP Client

- Using OKTA Global Protect Radius Agent for authentication (Timeout set to 60sec and 1 retry)

- Generate Cookie Encrypt is running on Portal (using the same Cert as Gateway) Lifetime set for 24 hours.

- Accept Cookie Decrypt is running on Gateway (using the same Cert as Portal) Lifetime set for 24hrs.

I have tried opening a sev 1 panTAC case but unfortunately, no one from Support knows how to resolve this issue and currently users are unable to connect via GP VPN at the moment.

topic Global Protect MFA Looping in GlobalProtect Discussions

Global Protect MFA Looping