https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/302953#M78903 <P>I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using <A href="https://live.paloaltonetworks.com/t5/Blogs/Duo-Multi-Factor-Authentication-MFA/ba-p/153420" target="_blank" rel="noopener">Mitch Densley's video guide for PAN-OS 8.x</A> as a starting point, I've gotten my Duo application set up, along with an authentication profile.</P><P>&nbsp;</P><P>However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in. &nbsp;Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.</P> Tue, 10 Dec 2019 16:40:07 GMT Andrew.Vernon 2019-12-10T16:40:07Z https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/302953#M78903 <P>I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using <A href="https://live.paloaltonetworks.com/t5/Blogs/Duo-Multi-Factor-Authentication-MFA/ba-p/153420" target="_blank" rel="noopener">Mitch Densley's video guide for PAN-OS 8.x</A> as a starting point, I've gotten my Duo application set up, along with an authentication profile.</P><P>&nbsp;</P><P>However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in. &nbsp;Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.</P> Tue, 10 Dec 2019 16:40:07 GMT https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/302953#M78903 Andrew.Vernon 2019-12-10T16:40:07Z https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/303413#M78982 <P>Did you create an object in vsys1 instead of 'shared' ?</P> Thu, 12 Dec 2019 13:04:16 GMT https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/303413#M78982 reaper 2019-12-12T13:04:16Z https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/303504#M79001 <P>For the Authentication Enforcement Object (Objects &gt; Authentication), I found creating a shared object (one used across all device groups) made the authentication profiles invisible. When I created the AEO in the device group covered by that particular template stack, the profiles were available to select. This occurred because I was using Panorama for device management. I'd have to walk back through the exercise on a stand-alone device to see if there's a similar distinction between the device level shared context and a specific vsys. (I only have single instances on my firewalls, so nothing really needs to be "shared.") It's not exactly as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> suggested, but their suggestion took me to the right place.</P><P>&nbsp;</P><P>I'm skipping the authentication policy step since further reading suggests it may not be needed for GlobalProtect. May have to revisit it after some testing.</P><P>&nbsp;</P><P>So short answer is: Just turn off the "Shared" checkbox when setting authentication enforcement.</P> Thu, 12 Dec 2019 21:43:19 GMT https://live.paloaltonetworks.com/t5/general-topics/native-duo-2fa-for-globalprotect-can-t-select-auth-profile-or/m-p/303504#M79001 Andrew.Vernon 2019-12-12T21:43:19Z