Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-26-2017 09:10 PM
Hello,
We are having issue with GlobalProtect VPN client when using 2 Factor Authorisation to authenticate.
Instead of being presented with a second login prompt to enter the code from the keyfob, Palo Alto is rejecting logins unless the keyfob code is appended to the user’s password on the initial login prompt.
How can we change this to the desired behaviour of the second login prompt?
Thanks in advance.
04-27-2017 02:35 AM
this sounds like normal behavior to me based on my experience with RSA SecurID (not with GP, though).
MFA doesn't necessarily mean multiple prompts, it just means something you know (PIN) + something you have (one time password).
the only time I've seen SecurID act like I believe you're expecting it to is with on demand authentication in which one first enters their PIN, then receives the one time password via email or text, so there has to be a second prompt for that.
04-27-2017 08:32 AM
That's normal depending on your 2-factor setup.
The GP client has no idea that it's supposed to feed the second prompt because it simply recieves the authentication failed message, and in reality it has failed becauses it doesn't match what your AD/Radius server is expecting. This in turn causes the authentication to fail/timeout. The workaround for a setup like this is to either
A) Depending on the multifactor solution (like RSA) you can tie the password it feeds through to a certain account. So if I have my token assigned to my 'administrator' account my 'normal' unpriveleged account incounters an additional password dialog as the password stored by RSA no-longer matches the password for my 'normal' account. You would have to switch the token to being tied to the 'normal' account and then the additional password dialog would happen when I utilize my 'administrator' account.
B) Exactly what you currently have users doing.
04-28-2017 01:33 PM
Hello,
What version of the GP client are you using. I know I had issues with certain versions where they would not give me the second prompt. I have GP setup to have different authentications for portal and gateway, this way we get the first prompt for username/passowrd and then a second one for the other auth method.
Agent 2.3.3 is currently stable for me.
Regards,
04-30-2017 04:04 PM
Thanks.
So is the “on demand” option you mentioned usable with a keyfob or must the one-time code be emailed/SMSed?
05-01-2017 07:01 AM
on demand is via sms/email. out of hardware, software and oda, it's the chepeast and most versatile option (I've managed all 3).
05-04-2017 09:39 PM
Thanks to @bradk14 @OtakarKlier and @BPry for the responses. Very helpful.
One last question: Does PA GP VPN support client certificate combined with RADIUS authentication with the client running in On Demand mode?
05-05-2017 06:52 AM
So you want to check for a client certificate and ask for username and password; or is it that you simply want it to fall back to RADIUS authentication if the device doesn't have a client cert?
05-07-2017 03:42 PM
We want to check for a client certificate and ask for a username/password (to be authenticated bvy RADIUS) using on-demand mode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
