If the option to disconnect with a ticket is unavailable or doesn't work with on demand mode... it's not explained on the document available to configure Globalprotect nor a banner or a warning message says... attention that features doesn't work with on demand features... It isn't a little bit stupid? For other things te PA says if there is something wrong.
So my cases to support is opened and they hasn't said me nothing about that. I will see if there are news and i'll update you about that.
Khamis, I resent your post. By having an opinion about something does not equate to giving out idiotic advice. You will notice that Im the only one to offer a solution to this problem which is or hasn't been documented property. I spent 3 days trying to remove this client from a test mac - hardly the operation of an easy to use client. Or do you think removing an application is beyond the remit of one's intelligence. While we are on the point I didnt notice you giving any sort of constructive advice. I suggest you engage your brain before trying to be awkward to a fellow poster I'm the future.
Re GP and my awful statement I have these feelings because of my experience with GP,
1. There is no(documented) way to uninstall it from a mac, as this poster had highlighted
2. The documentation and configuration scenario examples are vague
3. The client doesn't have some of the functionality of other VPN Clients
4. I don't like the fact that it installs and runs automatically
5. The automatic remember me function caused me lots issues before the latest version was released
6. It intermittently doesnt work when authentication to external RADIUS servers
I'm still testing this and are not confident about GP capabilities as a basic VPN client. I love the PA and some of its functions, but feel when PA moved from net connect to GP they made something that was really simple and worked into something that didn't need to be complicated and full of bugs.
I admit it's not exactly intuitive to select "Install" on an uninstall routine, but you can simply launch the .pkg file to uninstall GlobalProtect. I know we should maybe document this better, though it is the standard way of uninstalling software on the Mac.
GlobalProtect doesn't provide the list of features other VPN clients might have. But we felt that we should focus on what's really needed and make the user experience our highest priority. The goal of GlobalProtect is to keep you connected to a Palo Alto Networks Next Generation Firewall at all times to ensure that mobile user experience the same level of protection they get on the campus network. With that, it is important in my opinion to be as non-intrusive as possible, which is why it runs and connects automatically (which you can change btw).
The issues you are experiencing with RADIUS based authentication should be investigated a little bit further. RADIUS is a very common authentication scheme used by many of our customers, especially in conjunction with GlobalProtect.
just to follow on re the GP testing and my comments regarding it.
I've configured the portal to use kerberos authenticaiton and can authenticate with my AD account no problems. I have the GP portal configured for on demand and I have single sign off disabled. When I log into my PC GP authenticates with my kerberos account ok. I then proceed to click on connect and this is when I find problems with the GP client.
For example in the attached image you can see my RSA real time monitor log - the pink entry is when I click on connect - The GP client automatically tries to authenticate with the RSA server? I don't know what it's trying to authenticate with as the single sign off is disabled and I haven't yet been prompted to enter a password from the gateway side of the GP authentication feature.
Next the GP gateway element asks me to enter a password - i proceed to enter my password and the GP connects ok. This is represented in the attached image with the white entry showing a successful login.
Now consider this - I have a RSA policy that locks out accounts after 3 failed attempts within a 60 minute period. Our users aren't the most technically savvy bunch of people and I would expect that there would be quite a lot of login attempts at the GP client due to users not following documentation or having connection issues....
Like some other posters have indicated there is every chance some third party RADIUS authentication systems will lock out accounts unknowengly...
My question is this - why does GP try and authenticate with our external RSA system before I get the chance / are prompted to put in my password / passcode ? Surely the client should wait until the credentials are entered?
GlobalProtect actually tries to cache and re-use credentials provided by the user for portal and the gateway. Meaning, the credentials you entered for the portal would be re-used for the gateway connection. Because you use two different authentication profiles for portal and gateway, the authentication with the cached credentials fails and we prompt you to enter the password again, or in your case the SecurID PIN and Tokencode. This is actually expected behaviour.
Though, unlike other applications we don't try to authenticate over and over again with those cached credentials, hoping that the authentication server would magically accept those credentials. Instead, we only try once and the prompt the user.
We are working on some improvements on improving the product experience so that you won't see an error messages due to a failed first authentication. But for now, this is why you see the behaviour you described.
Functionally, it should work fine though, with the log errors being an annoyance right now.
We have actually the same issue of reusing cached credentials by GP. We have single auth profile for both portal and gateway and are using RSA SecurID. We have noticed that:
a) at least portal caching attempts occur automatically without user's request
b) sometimes credentials are cached and the worst thing, they are reused, despite entering proper credentials in the popu window (thus multiple auth errors). And we also have password remembering disabled in the GP settings.
That doesn't occur all the time, but when it does, the only way to get out of that reusing old creds loop is to reboot the machine.
We are on GP 1.1.4 btw and I have the case open #69378
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!