https://live.paloaltonetworks.com/t5/general-topics/global-protect-multifactor-authentication-with-radius/m-p/324386#M82815 <P>The PAN-OS version is 8.1.8 when I found the known issue:-</P><P><U><EM><STRONG>PAN-97757</STRONG></EM></U></P><DIV class="p">&nbsp;</DIV><DIV class="p"><DIV><BR />GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.<BR />Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP</DIV></DIV> Wed, 22 Apr 2020 20:48:07 GMT Jafar_Hussain 2020-04-22T20:48:07Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-multifactor-authentication-with-radius/m-p/324385#M82814 <P>Dear All,</P><P>&nbsp;</P><P>I have configured GP with multifactor authentication.</P><P>Example:- If I want to connect VPN, so I click to connect on agent it will prompt me to credential then I will enter username and password once it is succeded one OTP received my mobile. after entering the OTP. I can connect the VPN</P><P>&nbsp;</P><P>Randomly I am facing issues some users not able to connect VPN if they enter credentials(5-6 times) the error occurs user name password is incorrect.</P><P>Workaround - I remove all the settings from the agent and enter the portal name after that I can able to log in.</P><P>&nbsp;</P><P>Highlight points:- When I did the troubleshooting:-</P><P>&nbsp;</P><P>1) I can see the error - &nbsp; (Auth FAILED for user "ABC" thru &lt;"MFA-VPN", "vsys1"&gt;: remote server 10.20.182.42 of server profile "MFA-VPN-Radius" is down, or in retry interval, or request timed out (elapsed time 25 secs, max allowed 25 secs)</P><P>For this error, I went through some KB and found I need to increase the Global protect timeout.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNmaCAG" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNmaCAG</A></P><P>&nbsp;</P><P>2) When I test the authentication profile get the error -</P><P>Target vsys is not specified, user "ABC" is assumed to be configured with a shared auth profile.</P><P>Do allow list check before sending out authentication requests...</P><P>For this:- I can able to ping the RADIUS server and some users test authentication succeded and for the ABC user test is succeed sometimes.</P><P>&nbsp;</P><P>3) In the portal and gateway setting, I didn't configure authentication override (Generate cookies and Accept cookies)</P><P>For this - It is mandatory to configure authentication override?</P><P>&nbsp;</P><DIV class="p"><DIV>&nbsp;</DIV></DIV><P>Please suggest to me what I need to do for this.</P> Wed, 22 Apr 2020 20:45:20 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-multifactor-authentication-with-radius/m-p/324385#M82814 Jafar_Hussain 2020-04-22T20:45:20Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-multifactor-authentication-with-radius/m-p/324386#M82815 <P>The PAN-OS version is 8.1.8 when I found the known issue:-</P><P><U><EM><STRONG>PAN-97757</STRONG></EM></U></P><DIV class="p">&nbsp;</DIV><DIV class="p"><DIV><BR />GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.<BR />Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP</DIV></DIV> Wed, 22 Apr 2020 20:48:07 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-multifactor-authentication-with-radius/m-p/324386#M82815 Jafar_Hussain 2020-04-22T20:48:07Z