https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146808#M49267 <P>A little bump, maybe still someone has some insight?</P> Thu, 09 Mar 2017 08:18:21 GMT nikoo 2017-03-09T08:18:21Z https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146363#M49177 <P>Hi,</P><P>&nbsp;</P><P>There is a deployment with RSA-ID as OTP and GP as VPN client (3.1 or 3.0). PAN-OS version 7.0.14.</P><P>After the recent upgrade from 6.x to 7.x an issue showed up - when authenticating from GP - login information is asked twice.</P><P>This seems like a known issue:</P><P><A href="https://community.rsa.com/docs/DOC-46969" target="_blank">https://community.rsa.com/docs/DOC-46969</A></P><P>I've adjusted the PA settings according to this:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-with-RSA-OTP-behavior-change-from-PAN-OS-7-0-1-or/ta-p/65176" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-with-RSA-OTP-behavior-change-from-PAN-OS-7-0-1-or/ta-p/65176</A></P><P>But that did not help, double authentication is still asked every time. GP client was reinstalled and local data cleared.</P><P>&nbsp;</P><P>Basically, after investigation of PA logs, it can be seen that when client connects, he's asked for the username and passcode (PIN+Code). After that the connection is accepted by RADIUS (RSA) and instantly there is a new request made by PA in a blink of an eye and that is rejected. Due to that a new login is required - after that connection succeeds, connection is accepted and VPN connection established.</P><P>&nbsp;</P><P>Is this really how it should work and there is no way around it?&nbsp;</P> Tue, 07 Mar 2017 12:02:03 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146363#M49177 nikoo 2017-03-07T12:02:03Z https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146808#M49267 <P>A little bump, maybe still someone has some insight?</P> Thu, 09 Mar 2017 08:18:21 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146808#M49267 nikoo 2017-03-09T08:18:21Z https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146831#M49272 <P>Hi,</P><P>&nbsp;</P><P>OTP is Ine Time Password .. but for GP, you need one auth onportal and one on gateway <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Mean you need Two Time Password <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>or you just have to confogure on partial cookie generation and allow you rgatewy to use this cookie for authentication.</P><P><A href="https://www.paloaltonetworks.com.br/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-two-factor-authentication.html" target="_blank">https://www.paloaltonetworks.com.br/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-two-factor-authentication.html</A></P><P>&nbsp;</P><P>Hope help.</P><P>&nbsp;</P><P>V.</P> Thu, 09 Mar 2017 10:29:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/146831#M49272 VinceM 2017-03-09T10:29:54Z https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/147787#M49439 <P>Yea, it should be OTP, but turned out as TTP. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Well, fine, will upgrade to 7.1 when possible although there was a cookie to feed for the client in 7.0 as well, but that did not do the trick. We'll see if this will make it better.</P> Wed, 15 Mar 2017 08:09:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-7-0-gp-and-rsa-id-double-authentication/m-p/147787#M49439 nikoo 2017-03-15T08:09:54Z