I have successfully deployed MFA for my Global Protect users using PingID. Using RADIUS and LDAP I am able to have a user challenged every time they want to fire up the Global Protect gateway. However, this functionality only happens when a user has their device pre-enrolled into the PingID portal. If the user doesn't have a PingID account with their username present they are not challenged and ultimately authentication fails. IMO, this shouldn't be a pre-requisite when attempting to connect to a corporate service such as, GP. The user experience should be seamless and there should be instructions of how to enroll based on the service they're accessing.
Interestingly enough there are!
However, the user is unable to see the instructions as I can only find them in the Authd.log file. When I attempt to authenticate to my Global Protect portal and my device is not pre-enrolled to PingID there is no error put on the Global Protect portal login screen about failed login attempt. However, when I check the Authd.log on my firewall I can plainly see an entry with instructions of how to enroll my device.
My question is how do I get this message to be displayed to my users?
Message being displayed in the authd.log:
2019-10-21 13:17:12.027 +0000 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:314): reply msg = Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key: 000000000000. To connect, type "ok".
Palo Alto 3020 | 8.1.8
Global Protect | 5.0.4
I have a case with TAC opened and my SE is trying to find a solution. However, I figured I would come to the biggest audience possible for a faster turn around time.
Solved! Go to Solution.
I moved up to 8.1.10 and it's still not working. I do see the var respMsg when i inspect the page, however, nothing is still being presented. I may go all the way up 8.1.11 and if that doesn't work go to a 9.0.x revision, unless you have any other insight?
Thanks @Anon1 this is extremely helpful. I decided to down grade back to 8.1.9 and the GP portal doesn't display the message. However, the GP gateway is now displaying the message. I think this should be enough to roll out to my users.
I will work with my MFA people and see if we can change the incoming message.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!