https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256746#M72841 <P>Auth sequence is &nbsp;simply a list of possible auth services. It will run down the list until one is accepted.</P><P>it is not designed for MFA.</P><P>&nbsp;</P><P>you could look into Globalprotect MFA, there are plenty of links available, i use cert and Ldap.</P><P>&nbsp;</P><P>you could just have local for portal and ldap for gateway.</P><P>&nbsp;</P><P>although this could be less secure if portal is down and client uses cached gateway address.</P> Tue, 09 Apr 2019 06:04:22 GMT Mick_Ball 2019-04-09T06:04:22Z https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256738#M72840 <P>I configured Client Authentication Sequence for both GlobalProtect Portal and Gateway for both LDAP and local database.&nbsp; For some reason, only the first item in the list works.&nbsp; It does not seem to try the rest of the sequences in the list. If LDAP is first in the list, then LDAP authentication works but not Local database.&nbsp;&nbsp; If Local databse is first in the list, then local database authentication works but not LDAP authentication.&nbsp; What could be causing this?&nbsp; This is 9.0 version.</P> Tue, 09 Apr 2019 05:23:07 GMT https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256738#M72840 rhap4boy 2019-04-09T05:23:07Z https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256746#M72841 <P>Auth sequence is &nbsp;simply a list of possible auth services. It will run down the list until one is accepted.</P><P>it is not designed for MFA.</P><P>&nbsp;</P><P>you could look into Globalprotect MFA, there are plenty of links available, i use cert and Ldap.</P><P>&nbsp;</P><P>you could just have local for portal and ldap for gateway.</P><P>&nbsp;</P><P>although this could be less secure if portal is down and client uses cached gateway address.</P> Tue, 09 Apr 2019 06:04:22 GMT https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256746#M72841 Mick_Ball 2019-04-09T06:04:22Z https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256813#M72861 <P>Not trying to do multiple factor authentication. &nbsp;I simply want to two different methods of login in. &nbsp;Use either local database or LDAP. &nbsp;It suppose to take the login name and password and try each of the method in sequence until one login right?</P> Tue, 09 Apr 2019 14:57:15 GMT https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256813#M72861 LCMember2099 2019-04-09T14:57:15Z https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256826#M72865 <P>Yes that is what should happen, sorry for the confusion, i thought you were trying to use 2 logins...</P><P>&nbsp;</P><P>Does it say in monitor/system that it failed on just the first, i can try this on my test boxes tomorrow</P> Tue, 09 Apr 2019 17:43:46 GMT https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/256826#M72865 Mick_Ball 2019-04-09T17:43:46Z https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/257175#M72954 <P>i have ldap server 1, ldap server 2 and local database in my sequence.</P><P>&nbsp;</P><P>i can login with either my local account or my ldap account so not sure whats going wrong for you.</P><P>&nbsp;</P><P>i did confirm the sequence was working with monitor/packet capture to see a request going to all servers.</P> Thu, 11 Apr 2019 08:26:17 GMT https://live.paloaltonetworks.com/t5/general-topics/client-authentication-sequence-only-works-for-1st-item-in-the/m-p/257175#M72954 Mick_Ball 2019-04-11T08:26:17Z