we need support from Palo Alto to understand the following issue:
A portal and gateway profile has been created for ¿internal¿ users and ¿external¿ business partner users. All users need to authenticate using OTP (One time passcode). By default users must first authenticate against Portal and second to Gateway. Unfortunately this means that users have to fill in twice an OTP. The authentication flow is as follows:
-They are asked for the OTP first time for the portal
-PA tries to use the same OTP to authenticate on the Gateway
-the authentication provide does not accept the same OTP twice so replies with a Auth reject
-PA prompts the user for the OTP again (for the user looks like a failed authentication)
This causes confusion as most users will try to authenticate again with same OTP and authentication fails.
PAN has an option call authentication override for Portal and Gateway. When enabling authentication override on Portal users have to authenticate twice first time but at the same time a cookie is set on client valid for one year. Next time users connect to GP they only have to authenticate once, against gateway, as client cookie is presented to PA firewall being accepted.
However this solution still asks for double auth first time and then every year or when the cookie is lost.
Is there a better option to avoid asking for 2 OTPs when loggin in to Global Protect?
Please raise this issue with Palo Alto, as we are receiving complaints from end users quite often.
Version 7.0.9 is running on PA-500.
You probably need PAN-OS 7.1 which has enhanced 2 factor authentication features :
I hope it helps.
Was having the same issue and you describing it out helped me fix it by using LDAP auth for the Portal and Radius using OTP for the Gateway. Eliminated the double prompt for OTP and auth successfully the first attempt.
We as well use LDAP at auth portal, SSO at portal config level and OTP at Gateway level it works fine...
However for better end user usablity we had to enable authentication cookie override at Gateway level as well
for this to work fine we had to deactivate SSO (as SSO can create username invalid issues...)
Everything looks stable so far.
Yeah, this has been an issue since 7.1 for us as well. We migrated to certificate authentication for the portal, but certificates might not work for everyone as you have to push them to devices first
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!