We are having issue with GlobalProtect VPN client when using 2 Factor Authorisation to authenticate.
Instead of being presented with a second login prompt to enter the code from the keyfob, Palo Alto is rejecting logins unless the keyfob code is appended to the user’s password on the initial login prompt.
How can we change this to the desired behaviour of the second login prompt?
Thanks in advance.
this sounds like normal behavior to me based on my experience with RSA SecurID (not with GP, though).
MFA doesn't necessarily mean multiple prompts, it just means something you know (PIN) + something you have (one time password).
the only time I've seen SecurID act like I believe you're expecting it to is with on demand authentication in which one first enters their PIN, then receives the one time password via email or text, so there has to be a second prompt for that.
That's normal depending on your 2-factor setup.
The GP client has no idea that it's supposed to feed the second prompt because it simply recieves the authentication failed message, and in reality it has failed becauses it doesn't match what your AD/Radius server is expecting. This in turn causes the authentication to fail/timeout. The workaround for a setup like this is to either
A) Depending on the multifactor solution (like RSA) you can tie the password it feeds through to a certain account. So if I have my token assigned to my 'administrator' account my 'normal' unpriveleged account incounters an additional password dialog as the password stored by RSA no-longer matches the password for my 'normal' account. You would have to switch the token to being tied to the 'normal' account and then the additional password dialog would happen when I utilize my 'administrator' account.
B) Exactly what you currently have users doing.
What version of the GP client are you using. I know I had issues with certain versions where they would not give me the second prompt. I have GP setup to have different authentications for portal and gateway, this way we get the first prompt for username/passowrd and then a second one for the other auth method.
Agent 2.3.3 is currently stable for me.
So you want to check for a client certificate and ask for username and password; or is it that you simply want it to fall back to RADIUS authentication if the device doesn't have a client cert?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!