This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

HarryScore
L1 Bithead

‎09-11-2024 07:54 PM

I need some advices on this GP VPN Client with MFA issue: 

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

The current auth environment is that users use Active Directory in Azure  for MFA and use Radius to authentication process in Globalprotect.

 

 

0 Likes Likes
6 REPLIES 6

JayGolf
Community Team Member

‎09-16-2024 03:17 PM

Hi @HarryScore ,

 

How long do you have timeout setup for RADIUS? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

HarryScore
L1 Bithead
In response to JayGolf

‎09-16-2024 07:52 PM

@JayGolf  current Radius timeout setup is 30 secs

is there a way to check GP timeout setting? 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A...

 

0 Likes Likes

kiwi
Community Team Member

‎09-17-2024 03:37 AM

Hi @HarryScore ,

 

Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A...

 

>configure
# set deviceconfig setting global-protect timeout 90
#commit

# show deviceconfig setting global-protect
global-protect {
  timeout 90;
}
# exit

 

Hope this helps,

Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Brandon_Wertz
L6 Presenter

‎09-17-2024 08:20 AM - edited ‎09-17-2024 08:22 AM

@HarryScore wrote:

I need some advices on this GP VPN Client with MFA issue: 

End users selects DENY on the MFA prompt on the phone still are able to connect to GlobalProtect agents

The current auth environment is that users use Active Directory in Azure  for MFA and use Radius to authentication process in Globalprotect.

 

 

This isn't exactly your question, but can you do MFA from Azure?  If you tie the MFA from Azure it's an easier way to enforce the MFA process from an Azure authentication, vice letting the downstream system enforce it.  Also doing it at the Azure level ensure you have a consistent MFA process.

0 Likes Likes

JayGolf
Community Team Member
In response to kiwi

‎09-17-2024 11:36 AM

@HarryScore ,

 

Try setting the timeout to at double of what you set up in Radius. If that doesn't work, I'd try increasing your radius to 60 sec. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

HarryScore
L1 Bithead

‎09-18-2024 07:53 PM

Thanks everyone.

beside the radius server, we have another NPS server with NPS Extension for Azure MFA.

I have tried to setup the GP timeout to 90 secs, Radius server to 60 secs, still no luck.  Palo TAC doesn't help much either.

We are deploying Prisma now which should be resolve the issue.

 

  • 500 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks