RADIUS MFA Enrollment Message

L1 Bithead

RADIUS MFA Enrollment Message

I have successfully deployed MFA for my Global Protect users using PingID. Using RADIUS and LDAP I am able to have a user challenged every time they want to fire up the Global Protect gateway. However, this functionality only happens when a user has their device pre-enrolled into the PingID portal. If the user doesn't have a PingID account with their username present they are not challenged and ultimately authentication fails. IMO, this shouldn't be a pre-requisite when attempting to connect to a corporate service such as, GP. The user experience should be seamless and there should be instructions of how to enroll based on the service they're accessing.

Interestingly enough there are!

However, the user is unable to see the instructions as I can only find them in the Authd.log file. When I attempt to authenticate to my Global Protect portal and my device is not pre-enrolled to PingID there is no error put on the Global Protect portal login screen about failed login attempt. However, when I check the Authd.log on my firewall I can plainly see an entry with instructions of how to enroll my device.

My question is how do I get this message to be displayed to my users?


Message being displayed in the authd.log:
2019-10-21 13:17:12.027 +0000 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:314): reply msg = Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key: 000000000000. To connect, type "ok".


Technical details:

Palo Alto 3020 | 8.1.8

Global Protect | 5.0.4


I have a case with TAC opened and my SE is trying to find a solution. However, I figured I would come to the biggest audience possible for a faster turn around time.


L4 Transporter

Re: RADIUS MFA Enrollment Message

Upgrade to 8.1.9.


It is a bug. Look into the html source code of the page. There you see the message, it is not rendered correctly.


It works with 8.1.9

L1 Bithead

Re: RADIUS MFA Enrollment Message

Hey @Anon1,


I moved up to 8.1.10 and it's still not working. I do see the var respMsg when i inspect the page, however, nothing is still being presented. I may go all the way up 8.1.11 and if that doesn't work go to a 9.0.x revision, unless you have any other insight?

L4 Transporter

Re: RADIUS MFA Enrollment Message

I use the PingID authentication only for Panorama admin access, there it works with 8.1.9. I hoped the code would be the same on the firewall device side for this functionality. The actual issue is the double quote in the string returned from PingID (...To connect, type "ok".). This is not handled correctly within the Javascript and therefore rendering fails. You see also a corresponding error when you open the developer mode in the browser. Perhaps you can customize the message from PingID to not contain quotes?

L1 Bithead

Re: RADIUS MFA Enrollment Message

Thanks @Anon1 this is extremely helpful. I decided to down grade back to 8.1.9 and the GP portal doesn't display the message. However, the GP gateway is now displaying the message. I think this should be enough to roll out to my users.

I will work with my MFA people and see if we can change the incoming message.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!