Radius authentication for Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Radius authentication for Global Protect

L1 Bithead

Hi community!

 

I have encountered a "problem" with our Global Protect authentication while we were doing some maintenance works.

We have an Authentication Profile with 3 RADIUS servers for authenticating the users, and the number of retries is set to 5.

So, according to Palo Alto documentation, after 5 authentication attempts against server 1, it should try with server 2, and so on and so forth.

However, Global Protect client gives back the authentication fail after the 3rd attempt, so it will never try the server 2. We were doing maintenance on server 1 relying on the other 2 servers, but Global Protect was never using the other 2.

Is there any best practise to use here?

 

Thanks!

1 accepted solution

Accepted Solutions

@Gabriel_Linero,

I missed your update yesterday, but @Mick_Ball is correct. The radius has a max retry value of 5; that doesn't mean that it will try all servers 5 times, it means it will attempt to auth the connection 5 times. It's slightly odd that you are only ever seeing 3 attempts, but if you have 3 servers you're retries should be set no greater then '2', noting that the 3rd radius server will only ever see 1 request. 

I'd also recommend simply verifying that if you remove 'Server 1' from the profile you'll actually able to authenticate via the other two servers. It's possible that configuration on the actual radius server itself isn't correct for the other two servers. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@Gabriel_Linero,

Is auth failing at the GP Portal or the GP Gateway or both? 

Edit:

Have you configured an auth sequence? Kind of sounds like you maybe haven't configured an authentication sequence. 

Hi @BPry, I haven't checked with the portal, but when you connect with the Global Protect client to the portal, it authenticates in both portal and gateway. We have the authentication override so we do only one authentication.

We don't have ideed authentication sequence, but as far as I know, that's for using different profile. What we have is one authentication profile with one RADIUS server profile that inholds 3 RADIUS servers. As per Palo Alto documentation, when using the Server profile, it will try with the first server for the amount for retries, and then go to the second server.

We have configured 5 retires, but after the 3rd one (According to the logs) the client of Global Protect already go the authentication fail and asks the user to re-enter username and password.

We may need to configure less retries? Is Global Protect working in a different way when it retries the RADIUS authentication?

Hmmm...   this is a bit confusing but...

 

the radius max retries is 5, as per documentation.

 

so if you set profile to 5 then it will try first server 5 times, it will not try server 2 because you have used up your 5 attempts.

 

not sure about your logs but wireshark shows all attempts...

 

if you have 5 servers in the list then you must set retries to "1" or the last server will never get used..

 

so set retries to 2 or 3.  lets face it, if you do not hit your server after 2nd attempt then something is wrong....

 

you can set auth sequence as per @BPry. this will of course work but bear in mind that if a user enters an incorrect password or code then the same password/code will be used on server 2, so 2 bad auths registered against user... if you have 3 servers with a 3 attempts lockout policy then account locked on one attempt as it will try 3 times.

 

starting to waffle on a bit... soz.

 

so....     have a max of 3 servers per profile and set it to 2 retries.

or 2 servers with retries of 3.

or 1 server with retries of 4.

 

 

 

Hi @Mick_Ball, thanks a lot! will test that and see what happens 🙂

@Gabriel_Linero,

I missed your update yesterday, but @Mick_Ball is correct. The radius has a max retry value of 5; that doesn't mean that it will try all servers 5 times, it means it will attempt to auth the connection 5 times. It's slightly odd that you are only ever seeing 3 attempts, but if you have 3 servers you're retries should be set no greater then '2', noting that the 3rd radius server will only ever see 1 request. 

I'd also recommend simply verifying that if you remove 'Server 1' from the profile you'll actually able to authenticate via the other two servers. It's possible that configuration on the actual radius server itself isn't correct for the other two servers. 

Try doing packet capture for the radius traffic and check if the correct password is being sent for authentication. We have situation where the wrong password is being sent by the firewall or gp agent. It is adding # in front of the password. We have an open case with support on it

@rj_raj

Could you share some more information about this issue:

  • PAN-OS version
  • GP-Agent version
  • Authentication (RADIUS, LDAP, ...)
  • Pre-Logon/On demand
  • Enforce Global Protect for network access enabled
  • ...

Maybe this would be helpful also for others here (and if others have the same problem and also open cases, this could also help you as the issue then gets a higher priority)

 

Thanks in advance,

Remo

  • 1 accepted solution
  • 8414 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!