Native Duo 2FA for GlobalProtect can't select Auth Profile or Auth Policy Zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Native Duo 2FA for GlobalProtect can't select Auth Profile or Auth Policy Zone

L1 Bithead

I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using Mitch Densley's video guide for PAN-OS 8.x as a starting point, I've gotten my Duo application set up, along with an authentication profile.

 

However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in.  Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.

2 REPLIES 2

Cyber Elite
Cyber Elite

Did you create an object in vsys1 instead of 'shared' ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

For the Authentication Enforcement Object (Objects > Authentication), I found creating a shared object (one used across all device groups) made the authentication profiles invisible. When I created the AEO in the device group covered by that particular template stack, the profiles were available to select. This occurred because I was using Panorama for device management. I'd have to walk back through the exercise on a stand-alone device to see if there's a similar distinction between the device level shared context and a specific vsys. (I only have single instances on my firewalls, so nothing really needs to be "shared.") It's not exactly as @reaper suggested, but their suggestion took me to the right place.

 

I'm skipping the authentication policy step since further reading suggests it may not be needed for GlobalProtect. May have to revisit it after some testing.

 

So short answer is: Just turn off the "Shared" checkbox when setting authentication enforcement.

  • 2422 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!