10-21-2018 08:03 AM
Hi,
PaloAlto VM-100 8.0.13
I've been trying to add 2FA to our GlobalProtect Gateway. I've followed the instructions described here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...
Probably I've must have done something wrong, because I am prompted twice to enter the LDAP (AD) password insted of LDAP and RADIUS.
Could you please point me to where I made the mistake?
Thank you a lot.
10-21-2018 12:48 PM
Things that I can think of that could be causing this:
Save User Credentials - Must be set to no, or saving username only.
SSO must be disabled in the App configuration. (portals -> agent -> app)
Is the authentication profile for the gateway set to the one with the RADIUS server profile attached?
Thanks,
Luke.
10-21-2018 01:33 PM
What does your RADIUS server require for authentication? Only the second factor or username, password and second factor?
Do you want wo use LDAP on the portal and RADIUS on the gateway or how exactly did you configure the authentication?
(Did you commit your changes os is there the little chance that you still have LDAP on portal and gateway and because of that you're asked twice for AD credentials?
10-21-2018 03:21 PM
I've made some progres - I've changed the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.
If I put the RADIUS first and AD second it asks me first for the AD password and then for the RADIUS OTP code.
Strange, but it is like this.
Now I have another problem. I enter the AD password and it gets accepted then I enter the OTP code and I get prompted again and again.
In the system log:
2018/10/22 00:07:49,,globalprotectgateway-auth-fail,GP-Gateway-N,0,0,general,informational,"GlobalProtect gateway user authentication failed. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Client OS version: Microsoft Windows 10 Pro , 64-bit, Reason: Authentication failed: Timeout , Auth type: profile.",3035522,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-config-succ,Portal1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Config name: Portal_Agent.",3035517,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-auth-succ,Portal1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Auth type: profile.",3035516,0x0,0,0,0,0,,PA-VM-01
At the same time in the SafeNet Auth. Service (OTP) I have a successfull authentication:
| 2018-10-22 00:07:24 | xxxx | Authentication | Success | MobilePASS | 06104216 | 192.168.2.192 |
10-21-2018 03:26 PM
Never mind. The last problem was my mistake. I have changed the secret in NPS and forgot to click OK.
Everything works fine now.
03-04-2021 02:11 PM
Just in case anyone wants to know, I have written a blog about this topic here:
DOTW: MFA and 2FA for GP and NGFW
Be sure to check it out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
