topic Radius authentication for Global Protect in General Topics

Radius authentication for Global Protect

Gabriel_Linero — Wed, 08 Aug 2018 14:18:26 GMT

Hi community!

I have encountered a "problem" with our Global Protect authentication while we were doing some maintenance works.

We have an Authentication Profile with 3 RADIUS servers for authenticating the users, and the number of retries is set to 5.

So, according to Palo Alto documentation, after 5 authentication attempts against server 1, it should try with server 2, and so on and so forth.

However, Global Protect client gives back the authentication fail after the 3rd attempt, so it will never try the server 2. We were doing maintenance on server 1 relying on the other 2 servers, but Global Protect was never using the other 2.

Is there any best practise to use here?

Thanks!

Re: Radius authentication for Global Protect

BPry — Wed, 08 Aug 2018 16:57:09 GMT

@Gabriel_Linero,

Is auth failing at the GP Portal or the GP Gateway or both?

Edit:

Have you configured an auth sequence? Kind of sounds like you maybe haven't configured an authentication sequence.

Re: Radius authentication for Global Protect

Gabriel_Linero — Thu, 09 Aug 2018 11:01:45 GMT

Hi @BPry, I haven't checked with the portal, but when you connect with the Global Protect client to the portal, it authenticates in both portal and gateway. We have the authentication override so we do only one authentication.

We don't have ideed authentication sequence, but as far as I know, that's for using different profile. What we have is one authentication profile with one RADIUS server profile that inholds 3 RADIUS servers. As per Palo Alto documentation, when using the Server profile, it will try with the first server for the amount for retries, and then go to the second server.

We have configured 5 retires, but after the 3rd one (According to the logs) the client of Global Protect already go the authentication fail and asks the user to re-enter username and password.

We may need to configure less retries? Is Global Protect working in a different way when it retries the RADIUS authentication?

Re: Radius authentication for Global Protect

Mick_Ball — Fri, 10 Aug 2018 12:49:42 GMT

Hmmm... this is a bit confusing but...

the radius max retries is 5, as per documentation.

so if you set profile to 5 then it will try first server 5 times, it will not try server 2 because you have used up your 5 attempts.

not sure about your logs but wireshark shows all attempts...

if you have 5 servers in the list then you must set retries to "1" or the last server will never get used..

so set retries to 2 or 3. lets face it, if you do not hit your server after 2nd attempt then something is wrong....

you can set auth sequence as per @BPry. this will of course work but bear in mind that if a user enters an incorrect password or code then the same password/code will be used on server 2, so 2 bad auths registered against user... if you have 3 servers with a 3 attempts lockout policy then account locked on one attempt as it will try 3 times.

starting to waffle on a bit... soz.

so.... have a max of 3 servers per profile and set it to 2 retries.

or 2 servers with retries of 3.

or 1 server with retries of 4.

Re: Radius authentication for Global Protect

Gabriel_Linero — Fri, 10 Aug 2018 12:54:36 GMT

Hi @Mick_Ball, thanks a lot! will test that and see what happens 🙂

Re: Radius authentication for Global Protect

BPry — Fri, 10 Aug 2018 13:01:15 GMT

@Gabriel_Linero,

I missed your update yesterday, but @Mick_Ball is correct. The radius has a max retry value of 5; that doesn't mean that it will try all servers 5 times, it means it will attempt to auth the connection 5 times. It's slightly odd that you are only ever seeing 3 attempts, but if you have 3 servers you're retries should be set no greater then '2', noting that the 3rd radius server will only ever see 1 request.

I'd also recommend simply verifying that if you remove 'Server 1' from the profile you'll actually able to authenticate via the other two servers. It's possible that configuration on the actual radius server itself isn't correct for the other two servers.

Re: Radius authentication for Global Protect

rj_raj — Sat, 11 Aug 2018 17:25:59 GMT

Try doing packet capture for the radius traffic and check if the correct password is being sent for authentication. We have situation where the wrong password is being sent by the firewall or gp agent. It is adding # in front of the password. We have an open case with support on it

Re: Radius authentication for Global Protect

Remo — Sat, 11 Aug 2018 18:16:25 GMT

@rj_raj

Could you share some more information about this issue:

PAN-OS version
GP-Agent version
Authentication (RADIUS, LDAP, ...)
Pre-Logon/On demand
Enforce Global Protect for network access enabled
...

Maybe this would be helpful also for others here (and if others have the same problem and also open cases, this could also help you as the issue then gets a higher priority)

Thanks in advance,

Remo