https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/313159#M80888 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>- Security rule is set to Deny and not Drop or Reset.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>- Yes, the documentations suggests lookup feature rather than failure.</P> Wed, 26 Feb 2020 17:15:06 GMT Sly_Cooper 2020-02-26T17:15:06Z https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/312895#M80852 <P>Hi All,</P><P>&nbsp;</P><P>I have successfully tested Authentication policy using LDAP, MFA (Okta API), SAML and RADIUS (Okta). I am working on the redundancy scenarios wherein if Okta fails, the fallback would be LDAP. I am using RADIUS (Okta) and LDAP in the Authentication Sequence. I am however unable to get the LDAP (Active Directory) fallback working. I am simulating RADIUS(OKTA) failure by configuring the service route to use the firewall traffic interface and then a security policy to block the RADIUS traffic. I can see that the firewall is successfully blocking RADIUS traffic. I however, want it to proceed to LDAP auth and authenticate considering RADIUS unavailability. I am using default-web-form in the auth policy and CP is set to use the authentication sequence. The authentication logs only show Authentication Failure with the RADIUS server events. What am I missing? Will this config ever work?</P> Tue, 25 Feb 2020 20:55:52 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/312895#M80852 Sly_Cooper 2020-02-25T20:55:52Z https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/312961#M80856 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/30703">@Sly_Cooper</a>,</P><P>Just to verify, your security rule is set to drop the traffic and not send a reset correct?&nbsp;</P> Wed, 26 Feb 2020 03:37:01 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/312961#M80856 BPry 2020-02-26T03:37:01Z https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/313135#M80885 <P>i dont think this works on a total failure of the first auth in the sequence, it only seems to work if the first auth returns a "no".</P><P>if no response at all then it just times out the entire sequence.</P><P>&nbsp;</P><P>the above happens to me on V8.14 GP portal.</P><P>&nbsp;</P><P>I don't even think it was intended for use with multiple user accounts, it was more designed for a single user account on multiple auth servers with different passwords.</P><P>Having said that it still does not work for me if first auth server is down, or in your case... blocked!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 26 Feb 2020 15:23:34 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/313135#M80885 Mick_Ball 2020-02-26T15:23:34Z https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/313159#M80888 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>- Security rule is set to Deny and not Drop or Reset.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>- Yes, the documentations suggests lookup feature rather than failure.</P> Wed, 26 Feb 2020 17:15:06 GMT https://live.paloaltonetworks.com/t5/general-topics/authentication-sequence-not-working/m-p/313159#M80888 Sly_Cooper 2020-02-26T17:15:06Z