Global Protect Next TokenCode Mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Next TokenCode Mode

L1 Bithead

Hi all,

 Just wondering what I am missing in terms of getting the GlobalProtect Portal and Gateway to show next token prompts etc.

I have a fairly straightforward ISE RADIUS setup that talks to RSA AM. The authentication and authorization works except when next tokencode mode is invoked as no prompts are seen to indicate the next token is required. I can see the radius server sending the access-challenge to the client but nothing happens on either the portal or gateway,

3 REPLIES 3

Cyber Elite
Cyber Elite

@SteveMcBride

I don't believe that feature is actually supported at this time, but you might want to reach out to your SE to get formal verification. If not (and I fully believe it isn't) you could ask for the Feature Request number and add/create a request for this and share it here so others can find it and add their votes if it's something they could actually use. 

L7 Applicator

Hi @SteveMcBride 

 

What GP version do you use? How does your GP setup look like (on-demand/pre-logon/user-logon, is SSO enabled ...)? Does your ISE forward the access-challenge packet to the firewall?

Depending on your actual configuration this should work with MFA.

 

 

Hi all,

 

thanks for your replies. I have done further works and would like to share my finding and/or errors 😜

 

Basically what I have found to date is that I can't get this to work successfully with anything other than PAP. Initially I utilised EAP-GTC and am able to successfully authenticate and connect when there is no token issue. Problem with EAP-GTC is when next tokencode mode is invoked the messages just will not appear on the GP client. When I change the protocol back to PAP the prompts and tokencode process work as expected.

 

I have not been able to ascertain whether the issue is with ISE, Palo or indeed the RSA 8.1 server. I am going to post this on the other appropriate forums to see what I find and will update this post accordingly. I mainly post in case anyone else has this issue in the future.

  • 2698 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!