topic Re: Native VPN client in General Topics

Native VPN client

jdprovine — Mon, 23 Jul 2018 14:36:31 GMT

The native client on my windows machine does not seem to be authenticating against my radius/otp/ldap server and my globalprotect client is getting through the portal but failing on the gateway. Any ideas why or how to track it down?

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:07:15 GMT

if GP is using OTP then it will fail on the gateway as it's probably using the same passcode twice.

if using OTP then setup cookie generation on the portal and cookie auth on the Gateway.

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 15:13:21 GMT

@Mick_Ball

I have have both the portal and the gateway set to use radius and OTP. So where do I go to setup cookie generation?

Why does the native client work and not ask for the OTP?

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:22:53 GMT

the native client goes to the gateway directly, it does not use the portal so only has to auth once...

the settings are in network/portal/agent/configs. the settings are under authentication overide.

set the portal to generate cookie.

set portal to portal component only

and network/gateways/agent/client settings/configs.. set this to accept cookie, use same cert for decrypt and set to low lifetime. 2 mins

if you need further help then i will post print screen.

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 15:25:30 GMT

@Mick_Ball

So tsounds like the native client is not going to work with the OTP setup on the PA thats not good

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:29:28 GMT

Hmmmmm ... bit confused as i thought you said from the start that native was failing...

but you then asked "Why does the native client work and not ask for the OTP?".

so... er... erm

the native should work OK. you can still have Radius auth on the gateway along with cookies. if the client has no cookie then it should challenge for OTP or whatever your Radius requires

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 15:37:06 GMT

@Mick_Ball

I can see where you might read that, no its not failing but it is not asking for a code to authenticate the native client, it is just allowing it with a username and password. So when I say not authenticating against the radius/OTP server I mean not prompting the user for the authcode/token, just letting them right in.

So where is the best place to put the cookies on both the portal and gateway, just the portal or just the gateway. Our token has a limited life

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:39:42 GMT

OK so can we just confirm.... how many gateways do you have, is it just one for both GP and Native or one for each.

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 15:43:06 GMT

@Mick_Ball

Correct one gateway for both the native and globalprotect client

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:49:05 GMT

OK and do you use multi factor auth on that gateway for GP users (LDAP and Radius)

or do GP users just use Radius.

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 15:56:02 GMT

@Mick_Ball

I believe that the server was set up to do radius/OTP/LDAP and we have both the portal and the gateway set to that same server for multiauth

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:58:58 GMT

OK so i would assume that GP users can use ldap or OTP, and native client users can also use either ldap or OTP or have i missed something here..

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 15:59:31 GMT

what happens if native user tries OTP

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 16:17:18 GMT

Regarding your cookie auth for GP OTP.

it depends on how much you trust the users.

you can set the cookie so that once generated it can be used all day to authenticate, probably dangerous if a device is lost or stolen.

you can also choose if it will auth both portal and gateway or just gateway.

this is how i use it.

user connects with GP, GP prompts for username, PIN and OTP. if succesful then GP is issued a cookie, this is what is used to auth to the gateway.

I only allow cookie for 1 min as user should reach the gateway a few seconds after authenticating to the portal.

if the user disconnects or is disconnected then they reconnect when they next need to and enter OTP again.

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 16:37:38 GMT

@Mick_Ball

So do you set the auth profile for both the gateway and the portal to the radius/OTP/LDAP server and then set authentication overide to "Accept cookie for authentication override" on the gateway? Do you have to set "Generate cookie for authentication override on the portal" or no setting on the portal under authentication override?

But I do know I want the prompt for the PIN/token on the portal and then passed to the gateway and a limited cookie time

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 17:35:55 GMT

So do you set the auth profile for both the gateway and the portal to the radius/OTP/LDAP server

Yes. you don't really need it on the gateway for GP but you will need it for native.

and then set authentication overide to "Accept cookie for authentication override" on the gateway?

Yes. and set a time limit for how long you will accept the cookie. 10 mins is fine...

Do you have to set "Generate cookie for authentication override on the portal"

Yes, but do not accept cookie for auth on portal. and put a tick in "portal" under the components section.

this will force OTP everytime a user connects.

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 17:06:18 GMT

Gateway Settings

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 18:12:05 GMT

@Mick_Ball

Do you know if it is possible to do the 2 auth without using the cookies?

Re: Native VPN client

jdprovine — Mon, 23 Jul 2018 18:15:18 GMT

@Mick_Ball

I swear there was a picture with this but I don't see it anymore

Re: Native VPN client

Mick_Ball — Mon, 23 Jul 2018 18:27:26 GMT

Yes sorry the picture had some restricted info and couldnt edit it. So removed it. I will re post if needed but it was only portal info.

im not sure what you mean by 2 auth... you can use OTP without cookie auth but user will have to wait for passcode to change for gateway auth.

Thats why the overide is offered on the palo.