https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232030#M66600 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a></P><P>Yes just to make a better user experience so they don't have to log in twice and no I they would not be logged in for 7 days&nbsp;</P><P>So it looks like generate cookie on the portal and accept onthe gateway is the best way to go for me. I have both radius and OTP set on both the portal and the gateway. I have both native clients and globalprotect clients using the VPN.</P> Mon, 24 Sep 2018 13:20:47 GMT jdprovine 2018-09-24T13:20:47Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230911#M66320 <P>Why is it necessary to enter "generate cookie for authentication override and accept cookie for the authentication override on both the portal and gateway? I would think it would make more sense to select&nbsp;<SPAN>generate cookie for authentication override on the portal and&nbsp;accept cookie for the authentication override&nbsp; on the gateway.</SPAN></P><P><SPAN>I am also not sure what you have to put authentication method on both the portal and the gateway.</SPAN></P> Fri, 14 Sep 2018 20:04:20 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230911#M66320 jdprovine 2018-09-14T20:04:20Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230938#M66325 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a></P><P>&nbsp;</P><P>If you only need the cookie for a better user experience during <EM>one&nbsp;</EM>login, then it is enough if you only generate the cookie ond the portal and accept it on the gateway.&nbsp;</P><P>If you have for example the requirement that a login should be valid for 7 days so that the user only has to log in again if he did not connect for 7 days, then I would also generate the cookies on the gateway. This way the cookie will also be renewed in case the portal is not available. Also because of that reason (portal not available) I would configure portal and gateway with the same authentication - to keep the authentication as you need it also in cases where a client (for whatever reason) skips the portal and connects to the gateway directly.</P><P>&nbsp;</P><P>Hope this makes sense.</P> Fri, 14 Sep 2018 23:04:54 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230938#M66325 Remo 2018-09-14T23:04:54Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230959#M66330 <P>Yes as per mr remo....</P><P>&nbsp;</P><P>generate on portal and accept on gateway.</P><P>whatever auth you have on the portal, set same on the gateway.</P><P>cookie overide will prevent user having to authenticate again on gateway but needs to be there if portal is ever unavailablle</P><P>because client will use cached portal info and connect directly to the gateway(s) without a cookie.&nbsp;</P><P>&nbsp;</P><P>pretty much repeated what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;already stated but im gonna post anyhows...</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 15 Sep 2018 17:16:21 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/230959#M66330 Mick_Ball 2018-09-15T17:16:21Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232030#M66600 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a></P><P>Yes just to make a better user experience so they don't have to log in twice and no I they would not be logged in for 7 days&nbsp;</P><P>So it looks like generate cookie on the portal and accept onthe gateway is the best way to go for me. I have both radius and OTP set on both the portal and the gateway. I have both native clients and globalprotect clients using the VPN.</P> Mon, 24 Sep 2018 13:20:47 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232030#M66600 jdprovine 2018-09-24T13:20:47Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232096#M66621 <P>Bingo!</P> Mon, 24 Sep 2018 16:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232096#M66621 Mick_Ball 2018-09-24T16:55:27Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232290#M66645 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a></P><P>&nbsp;</P><P>I configured this and it worked just the way I wanted wooohooo</P><P>&nbsp;</P><P><SPAN>generate on portal and accept on gateway.</SPAN></P> Tue, 25 Sep 2018 15:14:58 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232290#M66645 jdprovine 2018-09-25T15:14:58Z https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232300#M66648 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a></P><P>&nbsp;</P><P>Congratulations, you have earned a new badge...</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="newbadge.png" style="width: 241px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16765i1D5665DA7E18C7CF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="newbadge.png" alt="newbadge.png" /></span></P> Tue, 25 Sep 2018 15:22:13 GMT https://live.paloaltonetworks.com/t5/general-topics/authetication-override/m-p/232300#M66648 Mick_Ball 2018-09-25T15:22:13Z