Global Protect - Clients with excessive failed logins

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect - Clients with excessive failed logins

L1 Bithead

We've had Global Protect in production for a while now, but it has just recently been brought to my attention that we are having a lot of users locking their accounts out.

The GP client prompts them for their AD username / password. Maybe they fat-finger their password or whatever. The GP client never gives them any indication of any issue, other than just prompting for credentials again. I have users that are failing logins 30-40 times within a couple of hours. Of cource AD is locking their account out, but the end user has no idea. All they know is they are continueing to get prompted for creds.

Has anyone ran into this situation? Any suggestions?

 

Most clients are using 3.1.3 while some are using 4.0.6. I am using aloways on mode and the same Kerberos profile to authenticat to both the portal and the gateway. I'm pretty sure that having them plug in their password twice is over-kill and adding to the issue. My security team would need some other way to auth to mitigate. I want to use pre-logon tunnel and device certs, but we just aren't there yet. 

 

Any help or suggestions would be greatly appreciated!

 

Thanks,

Jonathan

7 REPLIES 7

Cyber Elite
Cyber Elite

@Jonathan.Bennett,

Not sure what the solution would be, but the lockout should be temporary if you are following current recomendations as far as AD goes. The pre-logon with device cert auth would be the solution here as far as I'm aware, but the AD change would at least make it a little less of an issue. 

L7 Applicator

Ldap instead of kerberos would prevent account lockouts... 

 

why not generate a cookie at portal login to use on gateway auth... to reduce prompts.

 

 

@BPry,

I don't know what MS recommendations are for AD, but our security team requires AD accounts to be manually unlocked. 

I agree with you about the pre-logon tunnel, but it's another 6-8 months out for me. I was hoping to find a band-aid until then. Thanks for your help.

@Mick_Ball,

Will LDAP give a return like that? When I opened a case with PA TAC they told me it wouldn't. We've only used Radius for RSA and Kerberos, so I have not tested LDAP.

 

Using a secure cookie would reduce a login prompt. Not sure if my security team will go for it, but it's idea. Thank you.

A return like what.... not sure what you mean... 

ldap just compares user vs password, just gets a yes or no, this is not registered against auth attempts on AD.

 

regarding cookies, i cannot see the benefit of using the same credentials twice, i can understand if using different auth profiles for portal and gateway but you seem not to be doing this.

 

Looking forward to your portal config... 

 

 

 

 

Looking forward to your portal config

 

 

Sorry.... wrong thread....

I guess my ultimate wish would be to be able to get some sort of a error or message to the end user. Anything but a continual prompt for their creds. I have about 200 users on my portal, and I have about 15 that have multiple lock outs over the past 3 days.

  • 4823 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!