GlobalProtect Requests Authentication Credentials to Clients Twice

Scenario

A Palo Alto Network device is configured as both GlobalProtect Gateway and GlobalProtect Portal. The GlobalProtect Gateway and GlobalProtect Portal have been configured using different authentication profiles.

Issue

When a GlobalProtect client connects to the Palo Alto Networks device, the device requests authentication credentials twice. Even if client authenticates successfully to Gateway, logs will show authentication failure.

Cause

The GlobalProtect client first connects to the GlobalProtect Portal. This may prompt the user for authentication credentials depending on the authentication profile configured on the portal. The GlobalProtect Portal will then direct the client to the GlobalProtect Gateway, which is located on the same device. The device will also automatically send credentials provided to Portal for authentication to the Gateway. With a different authentication profile configured on the GlobalProtect Gateway, this may cause a failed authentication attempt and the user will be prompted to enter his/her authentication credentials for the gateway authentication profile.

Resolution

PAN-OS 6.0 introduced a new "Authentication Modifier" option under the GlobalProtect Portal > Client Configuration > General tab. The "Different password for external gateway" modifier (as shown in the screenshot below) indicates that the portal and gateway use different authentication credentials. This causes the Palo Alto Networks firewall to prompt the user for gateway password after portal authentication succeeds.

owner: mdjeric