https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/176773#M55231 <P>Hello,</P><P>&nbsp;</P><P>&nbsp;</P><P>We as well use LDAP at auth portal, SSO at portal config&nbsp;level and OTP at Gateway level it works fine...&nbsp;</P><P>&nbsp;</P><P>However for better end user usablity we had to enable authentication cookie override at Gateway level as well</P><P>&nbsp;</P><P>for this to work fine we&nbsp;had to&nbsp;deactivate SSO&nbsp;(as SSO&nbsp;can create username invalid issues...)</P><P>&nbsp;</P><P>Everything looks stable so far.&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Sep 2017 09:27:57 GMT plevesque 2017-09-27T09:27:57Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/151162#M50094 <P>we need support from Palo Alto to understand the following issue:<BR /><BR />A portal and gateway profile has been created for ¿internal¿&nbsp; users and ¿external¿ business partner users. All users need to authenticate using OTP (One time passcode). By default users must first authenticate against Portal and second to Gateway. Unfortunately this means that users have to fill in twice an OTP. The authentication flow is as follows:<BR />-They are asked for the OTP first time for the portal<BR />-PA tries to use the same OTP to authenticate on the Gateway<BR />-the authentication provide does not accept the same OTP twice so replies with a Auth reject<BR />-PA prompts the user for the OTP again (for the user looks like a failed authentication)<BR />This causes confusion as most users will try to authenticate again with same OTP and authentication fails.<BR /><BR />PAN has an option call authentication override for Portal and Gateway. When enabling authentication override on Portal users have to authenticate twice first time but at the same time a cookie is set on client valid for one year. Next time users connect to GP they only have to authenticate once, against gateway, as client cookie is presented to PA firewall being accepted.<BR /><BR />However this solution still asks for double auth first time and then every year or when the cookie is lost.<BR /><BR />Is there a better option to avoid asking for 2 OTPs when loggin in to Global Protect?<BR />Please raise this issue with Palo Alto, as we are receiving complaints from end users quite often.<BR /><BR />Version 7.0.9 is running on PA-500.</P> Wed, 05 Apr 2017 02:11:21 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/151162#M50094 mss-ops 2017-04-05T02:11:21Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/151189#M50099 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/843">@mss-ops</a>,</P> <P>&nbsp;</P> <P>You probably need PAN-OS 7.1 which has enhanced 2 factor authentication&nbsp;features :</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/globalprotect-features/enhanced-two-factor-authentication.html" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/globalprotect-features/enhanced-two-factor-authentication.html</A></P> <P>&nbsp;</P> <P>I hope it helps.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi</P> Wed, 05 Apr 2017 08:33:20 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/151189#M50099 kiwi 2017-04-05T08:33:20Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/171731#M54266 <P>Was having the same issue and you describing it out helped me fix it by using LDAP auth for the Portal and Radius using OTP for the Gateway. Eliminated the double prompt for OTP and auth successfully the first attempt.</P> Tue, 15 Aug 2017 20:10:45 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/171731#M54266 jake.britt87 2017-08-15T20:10:45Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/176773#M55231 <P>Hello,</P><P>&nbsp;</P><P>&nbsp;</P><P>We as well use LDAP at auth portal, SSO at portal config&nbsp;level and OTP at Gateway level it works fine...&nbsp;</P><P>&nbsp;</P><P>However for better end user usablity we had to enable authentication cookie override at Gateway level as well</P><P>&nbsp;</P><P>for this to work fine we&nbsp;had to&nbsp;deactivate SSO&nbsp;(as SSO&nbsp;can create username invalid issues...)</P><P>&nbsp;</P><P>Everything looks stable so far.&nbsp;</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Sep 2017 09:27:57 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/176773#M55231 plevesque 2017-09-27T09:27:57Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/178156#M55472 <P>Yeah, this has been an issue since 7.1 for us as well. We migrated to certificate authentication for the portal, but certificates might not work for everyone as you have to push them to devices first</P> Thu, 21 Sep 2017 17:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-issue-on-palo-alto-global-protect-client/m-p/178156#M55472 PavloJCP 2017-09-21T17:51:35Z