2 Factor Auth Issue

Reply
Highlighted
L4 Transporter

2 Factor Auth Issue

Hello,

 

We are having issue with GlobalProtect VPN client when using 2 Factor Authorisation to authenticate.

 

Instead of being presented with a second login prompt to enter the code from the keyfob, Palo Alto is rejecting logins unless the keyfob code is appended to the user’s password on the initial login prompt.

 

How can we change this to the desired behaviour of the second login prompt?

 

Thanks in advance.

Highlighted
L4 Transporter

this sounds like normal behavior to me based on my experience with RSA SecurID (not with GP, though).

 

MFA doesn't necessarily mean multiple prompts, it just means something you know (PIN) + something you have (one time password).

 

the only time I've seen SecurID act like I believe you're expecting it to is with on demand authentication in which one first enters their PIN, then receives the one time password via email or text, so there has to be a second prompt for that.

--
CCNA Security, PCNSE7
Highlighted
Cyber Elite

That's normal depending on your 2-factor setup.

The GP client has no idea that it's supposed to feed the second prompt because it simply recieves the authentication failed message, and in reality it has failed becauses it doesn't match what your AD/Radius server is expecting. This in turn causes the authentication to fail/timeout. The workaround for a setup like this is to either

A) Depending on the multifactor solution (like RSA) you can tie the password it feeds through to a certain account. So if I have my token assigned to my 'administrator' account  my 'normal' unpriveleged account incounters an additional password dialog as the password stored by RSA no-longer matches the password for my 'normal' account. You would have to switch the token to being tied to the 'normal' account and then the additional password dialog would happen when I utilize my 'administrator' account.

B) Exactly what you currently have users doing.

Highlighted
Cyber Elite

Hello,

What version of the GP client are you using. I know I had issues with certain versions where they would not give me the second prompt. I have GP setup to have different authentications for portal and gateway, this way we get the first prompt for username/passowrd and then a second one for the other auth method.

 

Agent 2.3.3 is currently stable for me.

 

Regards,

Highlighted
L4 Transporter

Thanks.

 

So is the “on demand” option you mentioned usable with a keyfob or must the one-time code be emailed/SMSed?

Highlighted
L4 Transporter

on demand is via sms/email. out of hardware, software and oda, it's the chepeast and most versatile option (I've managed all 3).

--
CCNA Security, PCNSE7
Highlighted
L4 Transporter

Thanks to @bradk14 @OtakarKlier and @BPry for the responses. Very helpful.

 

One last question: Does PA GP VPN support client certificate combined with RADIUS authentication with the client running in On Demand mode?

Highlighted
Cyber Elite

@Farzana,

So you want to check for a client certificate and ask for username and password; or is it that you simply want it to fall back to RADIUS authentication if the device doesn't have a client cert?

Highlighted
L4 Transporter

We want to check for a client certificate and ask for a username/password (to be authenticated bvy RADIUS) using on-demand mode.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!