topic Re: Global Protect - Clients with excessive failed logins in General Topics

Global Protect - Clients with excessive failed logins

Jonathan.Bennett — Mon, 02 Jul 2018 16:47:19 GMT

We've had Global Protect in production for a while now, but it has just recently been brought to my attention that we are having a lot of users locking their accounts out.

The GP client prompts them for their AD username / password. Maybe they fat-finger their password or whatever. The GP client never gives them any indication of any issue, other than just prompting for credentials again. I have users that are failing logins 30-40 times within a couple of hours. Of cource AD is locking their account out, but the end user has no idea. All they know is they are continueing to get prompted for creds.

Has anyone ran into this situation? Any suggestions?

Most clients are using 3.1.3 while some are using 4.0.6. I am using aloways on mode and the same Kerberos profile to authenticat to both the portal and the gateway. I'm pretty sure that having them plug in their password twice is over-kill and adding to the issue. My security team would need some other way to auth to mitigate. I want to use pre-logon tunnel and device certs, but we just aren't there yet.

Any help or suggestions would be greatly appreciated!

Thanks,

Jonathan

Re: Global Protect - Clients with excessive failed logins

BPry — Mon, 02 Jul 2018 16:55:14 GMT

@Jonathan.Bennett,

Not sure what the solution would be, but the lockout should be temporary if you are following current recomendations as far as AD goes. The pre-logon with device cert auth would be the solution here as far as I'm aware, but the AD change would at least make it a little less of an issue.

Re: Global Protect - Clients with excessive failed logins

Mick_Ball — Mon, 02 Jul 2018 18:24:42 GMT

Ldap instead of kerberos would prevent account lockouts...

why not generate a cookie at portal login to use on gateway auth... to reduce prompts.

Re: Global Protect - Clients with excessive failed logins

Jonathan.Bennett — Mon, 02 Jul 2018 18:54:20 GMT

@BPry,

I don't know what MS recommendations are for AD, but our security team requires AD accounts to be manually unlocked.

I agree with you about the pre-logon tunnel, but it's another 6-8 months out for me. I was hoping to find a band-aid until then. Thanks for your help.

Re: Global Protect - Clients with excessive failed logins

Jonathan.Bennett — Mon, 02 Jul 2018 18:56:50 GMT

@Mick_Ball,

Will LDAP give a return like that? When I opened a case with PA TAC they told me it wouldn't. We've only used Radius for RSA and Kerberos, so I have not tested LDAP.

Using a secure cookie would reduce a login prompt. Not sure if my security team will go for it, but it's idea. Thank you.

Re: Global Protect - Clients with excessive failed logins

Mick_Ball — Mon, 02 Jul 2018 19:11:06 GMT

A return like what.... not sure what you mean...

ldap just compares user vs password, just gets a yes or no, this is not registered against auth attempts on AD.

regarding cookies, i cannot see the benefit of using the same credentials twice, i can understand if using different auth profiles for portal and gateway but you seem not to be doing this.

Looking forward to your portal config...

Re: Global Protect - Clients with excessive failed logins

Mick_Ball — Mon, 02 Jul 2018 19:46:34 GMT

Looking forward to your portal config

Sorry.... wrong thread....

Re: Global Protect - Clients with excessive failed logins

Jonathan.Bennett — Mon, 02 Jul 2018 19:56:02 GMT

I guess my ultimate wish would be to be able to get some sort of a error or message to the end user. Anything but a continual prompt for their creds. I have about 200 users on my portal, and I have about 15 that have multiple lock outs over the past 3 days.