Global Protect do not ask for OTP

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Global Protect do not ask for OTP

L1 Bithead



i had configured a radius server (freeradius) that work with google_authenticator and active directory. So far this works that way:


- login via Global Protect Client with username and AD Password+OTP (password and OTP in 1 promt)



I need to enter the OTP seperate and not together with the password. How can i achieve this??


The portal and the gateway had the same authentication profile (use the radius server for both, first google_authenticator (forward_pass to AD). Also i do not understand the "Componets that required Dynamic Passswords (Two Factor Authentication) option, if i enabled thsi for ext. Gateway or Portal the behavior did not change i had to enter password+otp in one promt.


Maybe i had to configure this on the radius server, but if i login via SSH using radius the client ask for the "verification Code" after the password is entered so i think it should be configured on the firewall.


any ideas?




Accepted Solutions


I understood how you want to use the two authentications of the portal and gateway and I wrote of low chances because it might be possible that somehow the process for the portal could have a problem while the gateway still works properly. Ok, the propability is extremely low, but in theory it is possible.

I also read some things about the google_authenticator pam module and I came to the same conclusion as you: without some rewriting of the module it isn't possible that this authentication module will be access-challenge compatible.


LinOTP is a very good idea I think. This way you will be able to configure the login flow in the LinOTP application (and in addition this software gives you way more possibilities about other configurations, user self registration, logging, ...)

View solution in original post


Cyber Elite
Cyber Elite

Hi @Michael.Thyme


Do you use the same Authentication Profile for GP and for admin access?

Hi vsys_remo,


yes for the login into the web gui i use the same auth profile. 

Hmn ... actually this is a setting on the RADIUS server where you define how the RADIUS server expects the password/otp, because the firewall only sends what it get from the user. The RADIUS server then answers with an ACCESS-ACCEPT, ACCESS-REJECT or ACCESS-CHALLENGE where the last one tells the firewall to show an additional inputprompt to the user where the OTP has to be entered.

ok thx.. i will take a look at RADIUS site and hopefuly change the behavior...


what do you think about the following workaround...:


1. Authtentication to Portal via LDAP auth profile (AD User + PW)

if success -->

2. Authentication to Gateway via RADIUS auth profile (Username (same format as AD Username) + OTP)



i do not know if this is the good practise or insecure...

Is it possible to connect to the Gateway without connecting to the Portal first?

In this case that wouldnt be a workarround for us...



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!