topic Re: GlobalProtect 2FA in General Topics

GlobalProtect 2FA

Filip_Fronczak — Sun, 21 Oct 2018 15:03:14 GMT

Hi,

PaloAlto VM-100 8.0.13

I've been trying to add 2FA to our GlobalProtect Gateway. I've followed the instructions described here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentication/set-up-two-factor-authentication/enable-two-factor-authentication-using-one-time-passwords-otps

Probably I've must have done something wrong, because I am prompted twice to enter the LDAP (AD) password insted of LDAP and RADIUS.

Could you please point me to where I made the mistake?

Thank you a lot.

Re: GlobalProtect 2FA

LukeBullimore — Sun, 21 Oct 2018 19:48:24 GMT

Hi @Filip_Fronczak

Things that I can think of that could be causing this:

Save User Credentials - Must be set to no, or saving username only.

SSO must be disabled in the App configuration. (portals -> agent -> app)

Is the authentication profile for the gateway set to the one with the RADIUS server profile attached?

Thanks,

Luke.

Re: GlobalProtect 2FA

Remo — Sun, 21 Oct 2018 20:33:37 GMT

@Filip_Fronczak

What does your RADIUS server require for authentication? Only the second factor or username, password and second factor?

Do you want wo use LDAP on the portal and RADIUS on the gateway or how exactly did you configure the authentication?

(Did you commit your changes os is there the little chance that you still have LDAP on portal and gateway and because of that you're asked twice for AD credentials?

Re: GlobalProtect 2FA

Filip_Fronczak — Sun, 21 Oct 2018 22:21:44 GMT

I've made some progres - I've changed the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.

If I put the RADIUS first and AD second it asks me first for the AD password and then for the RADIUS OTP code.

Strange, but it is like this.

Now I have another problem. I enter the AD password and it gets accepted then I enter the OTP code and I get prompted again and again.

In the system log:

2018/10/22 00:07:49,,globalprotectgateway-auth-fail,GP-Gateway-N,0,0,general,informational,"GlobalProtect gateway user authentication failed. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Client OS version: Microsoft Windows 10 Pro , 64-bit, Reason: Authentication failed: Timeout , Auth type: profile.",3035522,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-config-succ,Portal1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Config name: Portal_Agent.",3035517,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-auth-succ,Portal1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Auth type: profile.",3035516,0x0,0,0,0,0,,PA-VM-01

At the same time in the SafeNet Auth. Service (OTP) I have a successfull authentication:

2018-10-22 00:07:24

xxxx

Authentication

Success

MobilePASS

06104216

192.168.2.192

Re: GlobalProtect 2FA

Filip_Fronczak — Sun, 21 Oct 2018 22:26:11 GMT

Never mind. The last problem was my mistake. I have changed the secret in NPS and forgot to click OK.

Everything works fine now.

Re: GlobalProtect 2FA

jdelio — Thu, 04 Mar 2021 22:11:29 GMT

Just in case anyone wants to know, I have written a blog about this topic here:

DOTW: MFA and 2FA for GP and NGFW

Be sure to check it out.