This article is based on a discussion, Global Protect authentication happened two time while using RADIUS, posted by @AhamadullahM and answered by @Astardzhiev. Read on to see the discussion and solution!
We have faced the Global Protect authentication that happened two times while using the RADIUS server.
First, I am trying to connect to VPN and enter the user name and Password after the OTP has asked then entered the OTP after, again the user name password is asked then OTP is provided after VPN was connected.
We need to avoid the twice authentication.
Kindly help to fix the issue.
This is by design, let me try to break down why it's happening and what you can do.
GlobalProtect VPN consist of two main components — the Portal and Gateway. For sake of simplicity let's say that every time the VPN user connects he will first connect to the Portal and then to the Gateway:
- User will connect to GP Portal, which will provide information of how the GP client will behave and to which Gateways it should try to connect.
- User will then try to establish a connection to the provided Gateways. At this point the VPN tunnel is established and the client is provided with routing information on which traffic to forward over the tunnel.
Now, both of these connections (to Portal and to Gateway) require authentication. Which means GP client will always authenticate twice - once to the Portal and once to the Gateway. This behavior is usually hidden to the end-user when using simple user/password authentication. By default GP client will cache the entered credentials. So when the user is prompted to authenticate to the Portal, the client will cache those credentials and use those first when prompted to authenticate to Gateway. If the gateway uses the same authentication (which is in most of the cases), the user will be connected to the Gateway without being prompted to authenticate a second time. But on the background there is actually second authentication.
This is important, because in your case your are using OTP. OTP is meant to be used one-time (according to its name, right). So when user is prompted by the Portal to authenticate, he will provide the username and password, will be challenged with OTP and he will provide it. After that, the client will receive the list of Gateways and will need to authenticate to the Gateway. The firewall will first try to use the cached credentials, so it will provide the same OTP that was used to authenticate to the Portal. In this case the OTP provide will reject the authentication, because it will notice that OTP is re-used. Failed authentication will force the client to prompt user to re-enter credentials, which will be accomplished with fresh OTP.
As you can see, it is not actually a problem of the RADIUS, but how GlobalProtect actually works.
Of course, user experience is very important in such cases, so there is one solution, probably more of a workaround, but since it is the only possible solution I would say it becomes standard.
Two words: Authentication Override.
GlobalProtect provides you with option to generate an authentication cookie once the user is successfully authenticated. This cookie will be stored on the user's computer and has a configurable life time. The purpose of this cookie is to authenticate the user. Instead of using the authentication method you have setup for your GlobalProtect, the flow would be like this:
2. Configure GP Gateway to accept authentication cookie with life time of 1min. (Do not enable generate, only accept)
What will happen is:
For the enduser it looks like he is authenticated only once and connected to the VPN.
When the user disconnects and tries to connect again to the Portal, since portal does not accept auth cookie, it will ask the user to authenticate again with OTP.
If the user tries to connect directly to Gateway (which accepts cookies), the gateway will try to validate the cookie, but it will notice it has expired and will prompt the user to authenticate with OTP.
If you search for MFA/OTP with RADIUS in the form you will find a lot of other discussions, where you could even find more detailed config examples.