- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-07-2018 06:21 AM
If you have two factor auth on the portal and the gateway without using the cookie or passing the auth from the portal to the gateway will it ask you to authenticate twice?
09-07-2018 09:58 AM
Makes sense that it would, but I can pass the authentication if I choose the cookie option can't I? I be that is what the native clients are not getting the routing information from the gateway cause they are only asked to authenticate once
09-07-2018 12:17 PM
Hi @jdprovine, hope you are well...
I dont think, in fact im pretty sure that native clients do not use the portal, they connect directly to the gateway.
so either i have got that wrong or you are having some other issues with routing info...
09-07-2018 12:26 PM
hope you are doing well too....
Well I had never thought of that, interesting. Do you know the technical reason why? Seems like if it went to the gateway it should get the route information
09-07-2018 12:36 PM
Not really a technical answer, but IPSec deployments are never implemented the same across devices. The firewall will only send route infromation in a certain manner, whether the end-device has been programmed to accept the route as given is a different story. Most vendors won't take the time to implement every single possible method and don't generally keep up with the changes made throughout all the different implementations. This is why VPN clients are offered; they can ensure that they are both passing/expecting the proper information.
I'm fairly positive that @Mick_Ball is correct in the fact that native clients do not utilize the portal in the connection process.
09-07-2018 12:49 PM - edited 09-08-2018 12:36 AM
Spot on @BPry.
09-10-2018 07:18 AM
So I have both radisu and OTP enabled on the gateway and the portal do I need it on both
09-10-2018 09:57 AM
ooer... this could get confusing...
for native clients, just the gateway but if you have GP clients then you will also need it on the portal.
having it on both without cookie.... well it's an OTP so it cannot be used again for the gateway, thats why the authentication overide (cookie stuff)is there
09-10-2018 05:23 PM
So about these cookies .....
In all seriousness in your situation @jdprovine I would really recommend that you keep OTP on both and then just enable authentication override so that users don't have to enter the OTP twice.
09-11-2018 05:52 AM
coooookkkkiiiieee. Love the cookie monster picture. So how will authentication override affect those user using the native client?
09-11-2018 05:56 AM
So application override is set in the portal and then the information is passed onto the gateway? Course I am only going to do based on the affect it has on the native client
09-11-2018 06:21 AM
So the authentication override doesn't come into play with the Native clients, because they are only connecting to the gateway. Where the authentication override will come into play is when the GP agents login they will then only need to enter the OTP once when you get cookie Auth properly setup.
09-11-2018 06:27 AM
So do you select generate cookie for the overide on the portal and accept cookie on the gateway? It make even less sense that the native client doesn't get the routes from the gateway since is connecte directly to it
09-11-2018 07:06 AM
So the primary issue with expecting Native Clients to handle route information properly... When most clients (95%+) are unable to understand received route information they will generally fall-back to their default of 0.0.0.0/0, sending everything through the established tunnel. Just to verify, are you seeing the native clients route everything through the tunnel or are you getting nothing through the tunnel?
This has always been a downside of using native clients, and why most vendors have moved away from them. You simply can't anticipate how others will implement things so stuff will always break as one side or the other makes changes. Now that most vendors are using agents it's even less of a concern for most, as most people will never even notice if it's broken. This essentially boils down to the fact that IPSec implementations really don't follow a set standard, they never have.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!