Global Protect Next TokenCode Mode

Reply
L1 Bithead

Global Protect Next TokenCode Mode

Hi all,

 Just wondering what I am missing in terms of getting the GlobalProtect Portal and Gateway to show next token prompts etc.

I have a fairly straightforward ISE RADIUS setup that talks to RSA AM. The authentication and authorization works except when next tokencode mode is invoked as no prompts are seen to indicate the next token is required. I can see the radius server sending the access-challenge to the client but nothing happens on either the portal or gateway,

L7 Applicator

Re: Global Protect Next TokenCode Mode

@SteveMcBride

I don't believe that feature is actually supported at this time, but you might want to reach out to your SE to get formal verification. If not (and I fully believe it isn't) you could ask for the Feature Request number and add/create a request for this and share it here so others can find it and add their votes if it's something they could actually use. 

L7 Applicator

Re: Global Protect Next TokenCode Mode

Hi @SteveMcBride 

 

What GP version do you use? How does your GP setup look like (on-demand/pre-logon/user-logon, is SSO enabled ...)? Does your ISE forward the access-challenge packet to the firewall?

Depending on your actual configuration this should work with MFA.

 

 

L1 Bithead

Re: Global Protect Next TokenCode Mode

Hi all,

 

thanks for your replies. I have done further works and would like to share my finding and/or errors ;p

 

Basically what I have found to date is that I can't get this to work successfully with anything other than PAP. Initially I utilised EAP-GTC and am able to successfully authenticate and connect when there is no token issue. Problem with EAP-GTC is when next tokencode mode is invoked the messages just will not appear on the GP client. When I change the protocol back to PAP the prompts and tokencode process work as expected.

 

I have not been able to ascertain whether the issue is with ISE, Palo or indeed the RSA 8.1 server. I am going to post this on the other appropriate forums to see what I find and will update this post accordingly. I mainly post in case anyone else has this issue in the future.

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!