topic Re: GlobalProtect requires token twice - Possible RSA inconvenience in General Topics

GlobalProtect requires token twice - Possible RSA inconvenience

gastong — Tue, 18 Jul 2017 03:00:34 GMT

Hi Community. I have an issue on GP: it makes requests for token twice to get through VPN to my network.

I discovered the RSAs feature "Next Token Code Mode", but believe PA (5050 - PAN-OS 7.1.10) has nothing to do when a NTC is requested, so I recommended my customer to open a case with RSA.

Instead, my customer told me RSA answered this:

https://community.rsa.com/docs/DOC-46969

Telling him that this is not a RSA issue, but a Palo Alto issue.

Do you have any info regarding this issue?

Thanks!

Re: GlobalProtect requires token twice - Possible RSA inconvenience

jdelio — Thu, 03 Aug 2017 20:14:10 GMT

Posted in the wrong group.

Should be posted in General Topics and not Community Feedback.

Moving now.

Re: GlobalProtect requires token twice - Possible RSA inconvenience

Mick_Ball — Fri, 04 Aug 2017 09:19:51 GMT

Have you configured "authentication overide" in the portal agent tab.

the portal will request authentication and then generate a cookie to authenticate you on the gateway. you need to "accept cookie authentication" in the gateway - agent - client settings - config for this to work.

if you do not have this configured then the portal will request a passcode and then the gateway.

Re: GlobalProtect requires token twice - Possible RSA inconvenience

Mick_Ball — Fri, 04 Aug 2017 10:41:54 GMT

https://www.paloaltonetworks.it/documentation/80/globalprotect/globalprotect-admin-guide/authentication/enable-two-factor-authentication-using-one-time-passwords-otps.html

Re: GlobalProtect requires token twice - Possible RSA inconvenience

ericlinji — Thu, 07 Sep 2017 05:07:17 GMT

I think the first authentication dialogue is for portal, and the second time is for gateway. Since 7.x, it uses the encrypted cookies to pass authentication information from portal to gateway. So that you will have only once for authentication.

Re: GlobalProtect requires token twice - Possible RSA inconvenience

hcao — Fri, 14 Dec 2018 23:52:13 GMT

I run into the exact issue with PAN v8.0.12 with RSA GP client prompting RSA username and passcode twice (first will fail, and the second will succeed). This issue only happens with GP clients (I've tried both v4.1.6 and v4.1.8).

I set the "authentication overide" in the portal | agent | config | authentication, and choose "generate cookies for authentication overide" and "choose cerftificate to encrypt/decrypt cookies"

GP client worked great with RSA after the configuration change.

Thanks MickBall for your help!

Note: This issue happened to me only when using global protect client. RSA works just fine with Clientless SSL VPN.

Re: GlobalProtect requires token twice - Possible RSA inconvenience

aleksandar.astardzhiev — Mon, 17 Dec 2018 13:06:48 GMT

When you are connecting to Global Protect you actually face two authentications: one authentication for the portal and one for the gateway. By default PAN firewall will try to use the same credentials provided for the portal again for the gateway. If you are using LDAP authentication for both (portal and gateway) the user will be asked for credetials only once, and he will get the impretion that only one authentication is happening.

Howeve if youare using OTP tokens the default behaviour wouldn't work. The reason for that is - once the user put his OTP when prompted by the portal to authenticate, the firewall will cache the OTP and will try to sent it again to the Radius server (RSA server) when prompted to authenticate to the gateway, howeve since this token has been already used the RSA will reply to the firewall with Access Reject message, which will force the firewall to prompt the user to enter credentials to authenticate to the gateway.

That is why during user login in the RSA logs you probably will see:

- one successful login message (when user has authenticated with OTP to the portal)

- one failed login message (when firewall is using the same OTP to authenticate gainst the gateway)

- one successful login message (when user generate new OTP and authenticat to the gateway)

As other already suggested the solution will be to enable Authentication Override cookies. This will generate and install a auth. cookie on the user PC once he authenticate to the portal, when prompted to authenticate to the gateway the PC will use the cookie instead of prompting the user for credentials again.

My suggestion:
- For the portal, enable only "generate cookie for authentication override". Do not enable "accept cookies", that way users will always be prompted to authenticate when connecting to the portal

- For the gateway, enable only "accept cookie" and set cookie lifetime to the minumim (one minute)

Re: GlobalProtect requires token twice - Possible RSA inconvenience

AtulK — Wed, 05 Mar 2025 12:29:27 GMT

Thank you!

I have attempted your suggestion in my lab environment, and it works well. Just to add to this also, although this suggestion is from 2018, it is still valid and worked well on PAN-OS version 11.1. I used Thales SafeNet OTP rather than RSA.