topic 2 Factor Auth Issue in General Topics

2 Factor Auth Issue

Farzana — Thu, 27 Apr 2017 04:10:44 GMT

Hello,

We are having issue with GlobalProtect VPN client when using 2 Factor Authorisation to authenticate.

Instead of being presented with a second login prompt to enter the code from the keyfob, Palo Alto is rejecting logins unless the keyfob code is appended to the user’s password on the initial login prompt.

How can we change this to the desired behaviour of the second login prompt?

Thanks in advance.

Re: 2 Factor Auth Issue

bradk14 — Thu, 27 Apr 2017 09:35:46 GMT

this sounds like normal behavior to me based on my experience with RSA SecurID (not with GP, though).

MFA doesn't necessarily mean multiple prompts, it just means something you know (PIN) + something you have (one time password).

the only time I've seen SecurID act like I believe you're expecting it to is with on demand authentication in which one first enters their PIN, then receives the one time password via email or text, so there has to be a second prompt for that.

Re: 2 Factor Auth Issue

BPry — Thu, 27 Apr 2017 15:32:23 GMT

That's normal depending on your 2-factor setup.

The GP client has no idea that it's supposed to feed the second prompt because it simply recieves the authentication failed message, and in reality it has failed becauses it doesn't match what your AD/Radius server is expecting. This in turn causes the authentication to fail/timeout. The workaround for a setup like this is to either

A) Depending on the multifactor solution (like RSA) you can tie the password it feeds through to a certain account. So if I have my token assigned to my 'administrator' account my 'normal' unpriveleged account incounters an additional password dialog as the password stored by RSA no-longer matches the password for my 'normal' account. You would have to switch the token to being tied to the 'normal' account and then the additional password dialog would happen when I utilize my 'administrator' account.

B) Exactly what you currently have users doing.

Re: 2 Factor Auth Issue

OtakarKlier — Fri, 28 Apr 2017 20:33:25 GMT

Hello,

What version of the GP client are you using. I know I had issues with certain versions where they would not give me the second prompt. I have GP setup to have different authentications for portal and gateway, this way we get the first prompt for username/passowrd and then a second one for the other auth method.

Agent 2.3.3 is currently stable for me.

Regards,

Re: 2 Factor Auth Issue

Farzana — Sun, 30 Apr 2017 23:04:23 GMT

Thanks.

So is the “on demand” option you mentioned usable with a keyfob or must the one-time code be emailed/SMSed?

Re: 2 Factor Auth Issue

bradk14 — Mon, 01 May 2017 14:01:52 GMT

on demand is via sms/email. out of hardware, software and oda, it's the chepeast and most versatile option (I've managed all 3).

Re: 2 Factor Auth Issue

Farzana — Fri, 05 May 2017 04:39:44 GMT

Thanks to @bradk14 @OtakarKlier and @BPry for the responses. Very helpful.

One last question: Does PA GP VPN support client certificate combined with RADIUS authentication with the client running in On Demand mode?

Re: 2 Factor Auth Issue

BPry — Fri, 05 May 2017 13:52:32 GMT

@Farzana,

So you want to check for a client certificate and ask for username and password; or is it that you simply want it to fall back to RADIUS authentication if the device doesn't have a client cert?

Re: 2 Factor Auth Issue

Farzana — Sun, 07 May 2017 22:42:29 GMT

We want to check for a client certificate and ask for a username/password (to be authenticated bvy RADIUS) using on-demand mode.