topic Re: GlobalProtect portal user authentication failed in General Topics

GlobalProtect portal user authentication failed

howardtopher — Wed, 07 Nov 2018 18:15:17 GMT

For globalprotect I have a radius server profile with two servers in it. I have noticed that all authentication goes to the first server in the list all the time. And that works. However, in testing, I have shut off the first server and the firewall never tries to send authentcation to the second server. If I use the "test authentication" command on the firewall CLI, it does fail over to the second server and authentication succeeds. If I go back to the globalprotect client and try again, the firewall only tries the first server and authentication fails. I have verified this with packet captures on the actual radius servers.

This seems to be incorrect behavior. Is it possible that there is a known bug about this? I'm using the same authentication profile in the globalprotect portal configuration as I am on the test CLI command.

Re: GlobalProtect portal user authentication failed

BPry — Wed, 07 Nov 2018 20:32:35 GMT

@howardtopher,

To know if you are hitting a known bug, we would need to know your PAN-OS version and GP agent version 😉

I recall this issue a while ago this issue was brought up and the fix was modifying the retries and timout values lower; something with that agent version was timing out the authentication on the agent side of things before getting a response. That particular issue if I recall correctly had much higher values in both fields however.

Re: GlobalProtect portal user authentication failed

howardtopher — Wed, 07 Nov 2018 20:43:44 GMT

Our PAN-OS is 8.0.10. Maintenance night is next Friday, we'll jump to 8.0.13 at that point unless 8.0.14 gets released before then.

Globalprotect is 4.1.5.

I tried setting the timeout to 1 second and retries to 1 in the server profile, but that didn't make a difference. The globalprotect client says "connecting..." for a good 30 seconds before giving up (I haven't timed it, but it's feels long). The CLI fails over to the second server in the 1 second timeout that's configured.

Re: GlobalProtect portal user authentication failed

BPry — Wed, 07 Nov 2018 21:01:51 GMT

@howardtopher,

I don't think it's your PAN-OS version, nothing in the release notes point towards a fix for anything to do with RADIUS between those versions. You could be running into GPC-7215 if you are using SSO.

Re: GlobalProtect portal user authentication failed

Mick_Ball — Thu, 08 Nov 2018 14:58:30 GMT

yes @BPry i remember that post too!

unfortunately the poster never updated so still hanging...

the main pont to remember is that the max retries is 5.

so if you have 2 servers then only set retries to 3. (or less)

I have just tested 4.15, i have radius server profile with 2 laptops running wireshark.

the timeout is 3 and retries is 3.

i see the first laptop get 3 radius requests with about a 3 to 3.5 second interval.

i then see laptop 2 get 2 radius requests (total 5) with similar intervals.

as soon as the second one times out my GP client re prompts for username and password so all looking OK.

i cannot think why you would have such an issue... i have tested this on V7.1x and 8.08

Re: GlobalProtect portal user authentication failed

Mick_Ball — Thu, 08 Nov 2018 14:59:54 GMT

Ye olde poste...

https://live.paloaltonetworks.com/t5/General-Topics/Radius-authentication-for-Global-Protect/td-p/226447