Client Authentication Sequence only works for 1st item in the list

Reply
Highlighted
L1 Bithead

Client Authentication Sequence only works for 1st item in the list

I configured Client Authentication Sequence for both GlobalProtect Portal and Gateway for both LDAP and local database.  For some reason, only the first item in the list works.  It does not seem to try the rest of the sequences in the list. If LDAP is first in the list, then LDAP authentication works but not Local database.   If Local databse is first in the list, then local database authentication works but not LDAP authentication.  What could be causing this?  This is 9.0 version.

L6 Presenter

Re: Client Authentication Sequence only works for 1st item in the list

Auth sequence is  simply a list of possible auth services. It will run down the list until one is accepted.

it is not designed for MFA.

 

you could look into Globalprotect MFA, there are plenty of links available, i use cert and Ldap.

 

you could just have local for portal and ldap for gateway.

 

although this could be less secure if portal is down and client uses cached gateway address.

L1 Bithead

Re: Client Authentication Sequence only works for 1st item in the list

Not trying to do multiple factor authentication.  I simply want to two different methods of login in.  Use either local database or LDAP.  It suppose to take the login name and password and try each of the method in sequence until one login right?

L6 Presenter

Re: Client Authentication Sequence only works for 1st item in the list

Yes that is what should happen, sorry for the confusion, i thought you were trying to use 2 logins...

 

Does it say in monitor/system that it failed on just the first, i can try this on my test boxes tomorrow

L6 Presenter

Re: Client Authentication Sequence only works for 1st item in the list

i have ldap server 1, ldap server 2 and local database in my sequence.

 

i can login with either my local account or my ldap account so not sure whats going wrong for you.

 

i did confirm the sequence was working with monitor/packet capture to see a request going to all servers.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!