Radius authentication for Global Protect

Reply
Highlighted
L1 Bithead

Radius authentication for Global Protect

Hi community!

 

I have encountered a "problem" with our Global Protect authentication while we were doing some maintenance works.

We have an Authentication Profile with 3 RADIUS servers for authenticating the users, and the number of retries is set to 5.

So, according to Palo Alto documentation, after 5 authentication attempts against server 1, it should try with server 2, and so on and so forth.

However, Global Protect client gives back the authentication fail after the 3rd attempt, so it will never try the server 2. We were doing maintenance on server 1 relying on the other 2 servers, but Global Protect was never using the other 2.

Is there any best practise to use here?

 

Thanks!

L7 Applicator

Re: Radius authentication for Global Protect

@Gabriel_Linero,

Is auth failing at the GP Portal or the GP Gateway or both? 

Edit:

Have you configured an auth sequence? Kind of sounds like you maybe haven't configured an authentication sequence. 

L1 Bithead

Re: Radius authentication for Global Protect

Hi @BPry, I haven't checked with the portal, but when you connect with the Global Protect client to the portal, it authenticates in both portal and gateway. We have the authentication override so we do only one authentication.

We don't have ideed authentication sequence, but as far as I know, that's for using different profile. What we have is one authentication profile with one RADIUS server profile that inholds 3 RADIUS servers. As per Palo Alto documentation, when using the Server profile, it will try with the first server for the amount for retries, and then go to the second server.

We have configured 5 retires, but after the 3rd one (According to the logs) the client of Global Protect already go the authentication fail and asks the user to re-enter username and password.

We may need to configure less retries? Is Global Protect working in a different way when it retries the RADIUS authentication?

L7 Applicator

Re: Radius authentication for Global Protect

Hmmm...   this is a bit confusing but...

 

the radius max retries is 5, as per documentation.

 

so if you set profile to 5 then it will try first server 5 times, it will not try server 2 because you have used up your 5 attempts.

 

not sure about your logs but wireshark shows all attempts...

 

if you have 5 servers in the list then you must set retries to "1" or the last server will never get used..

 

so set retries to 2 or 3.  lets face it, if you do not hit your server after 2nd attempt then something is wrong....

 

you can set auth sequence as per @BPry. this will of course work but bear in mind that if a user enters an incorrect password or code then the same password/code will be used on server 2, so 2 bad auths registered against user... if you have 3 servers with a 3 attempts lockout policy then account locked on one attempt as it will try 3 times.

 

starting to waffle on a bit... soz.

 

so....     have a max of 3 servers per profile and set it to 2 retries.

or 2 servers with retries of 3.

or 1 server with retries of 4.

 

 

 

L1 Bithead

Re: Radius authentication for Global Protect

Hi @MickBall, thanks a lot! will test that and see what happens :)

L7 Applicator

Re: Radius authentication for Global Protect

@Gabriel_Linero,

I missed your update yesterday, but @MickBall is correct. The radius has a max retry value of 5; that doesn't mean that it will try all servers 5 times, it means it will attempt to auth the connection 5 times. It's slightly odd that you are only ever seeing 3 attempts, but if you have 3 servers you're retries should be set no greater then '2', noting that the 3rd radius server will only ever see 1 request. 

I'd also recommend simply verifying that if you remove 'Server 1' from the profile you'll actually able to authenticate via the other two servers. It's possible that configuration on the actual radius server itself isn't correct for the other two servers. 

L1 Bithead

Re: Radius authentication for Global Protect

Try doing packet capture for the radius traffic and check if the correct password is being sent for authentication. We have situation where the wrong password is being sent by the firewall or gp agent. It is adding # in front of the password. We have an open case with support on it
L7 Applicator

Re: Radius authentication for Global Protect

@rj_raj

Could you share some more information about this issue:

  • PAN-OS version
  • GP-Agent version
  • Authentication (RADIUS, LDAP, ...)
  • Pre-Logon/On demand
  • Enforce Global Protect for network access enabled
  • ...

Maybe this would be helpful also for others here (and if others have the same problem and also open cases, this could also help you as the issue then gets a higher priority)

 

Thanks in advance,

Remo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!