topic Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together? in General Topics

Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

junior_r — Sun, 29 Oct 2017 10:32:01 GMT

Hi,

Has anyone gotten GP user-logon (ALWAYS on) and OTP working toghther?

Thanks

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

Mick_Ball — Sun, 29 Oct 2017 12:04:39 GMT

As GP tries to connect, do you get a username and password prompt?

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

junior_r — Sun, 29 Oct 2017 15:41:33 GMT

Yes but problem is when I logon to Windows it trys to take those creds and send it to Portal, which causes auth errors in LOG. After this I can get in. I want to prevent the first auth error when logging into the PC

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

Mick_Ball — Sun, 29 Oct 2017 19:22:13 GMT

So.. to confirm... if you just change the portal config to on demand... does it work ok..

also... are you sure you have sso turned off in portal conf and save password to no.

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

bmorris1 — Sun, 29 Oct 2017 20:57:02 GMT

Hi Junior_r,

Are you using the same auth profile for both portal and gateway? I suspect what is happening is that you are trying to do SSO/Authentication twice with the same OTP, so authenticating once against the portal and again against the gateway with the same OTP. Most OTP operators make it so that you can't use the same OTP twice, so your authentication is failing on the second go.

The way to get around this is to use two different authentication profiles, one for the portal and one for the gateway. The portal authentication will be set as your standard login with username and password and your gateway config will have the auth profile set to use the OTP login.

This way you will auth once to the portal with username/password, then you'll need to authenticate again against the gateway and thus be prompted for your OTP code.

You can combine this with cookie authentication for the portal so after a first successful login to the portal this authentication gets cached and only a single authetncation using the OTP is required.

Hope this helps,

Ben

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

junior_r — Sun, 29 Oct 2017 21:06:32 GMT

Hi Ben,

Thanks for the reply. Can I use SSO for portal and use OTP for Gateway when using user-logon? Would SSO try to send creds to to gateway also or would SSO send creds to portal then promote user for OTP for gateway? What if I only enable OTP, user-logon and disable SSO. After user logs on would it promote them for their OTP without them opening GP client?

Thanks

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

bmorris1 — Mon, 30 Oct 2017 09:51:31 GMT

Hi junior_r,

SSO will try to authenticate against both portal and gateway. So you'll either need to keep SSO on and live with the error message of the 1st auth against the gateway or disable it and enter the username and password on the login screen and GP after login.

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Single-Sign-on-SSO-for-GlobalProtect/ta-p/112186

Personally I think the first option is the best as it is more seamless to users, they will log in on the login window with their username and password and then be prompted for the OTP by GP, they won't see that it has failed the 1st gateway authentication.

Re: Has anyone gotten GP user-logon (ALWAYS on) and OTP working together?

junior_r — Mon, 30 Oct 2017 13:51:24 GMT

Thanks Ben this works.