Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect 2FA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect 2FA

L2 Linker

Hi,

 

PaloAlto VM-100 8.0.13

 

I've been trying to add 2FA to our GlobalProtect Gateway. I've followed the instructions described here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

Probably I've must have done something wrong, because I am prompted twice to enter the LDAP (AD) password insted of LDAP and RADIUS.

 

Could you please point me to where I made the mistake?

 

Thank you a lot.

5 REPLIES 5

L5 Sessionator

Hi @Filip_Fronczak

 

Things that I can think of that could be causing this:

 

Save User Credentials - Must be set to no, or saving username only.

SSO must be disabled in the App configuration. (portals -> agent -> app)

Is the authentication profile for the gateway set to the one with the RADIUS server profile attached?

 

Thanks,

Luke.

 

@Filip_Fronczak

What does your RADIUS server require for authentication? Only the second factor or username, password and second factor?

Do you want wo use LDAP on the portal and RADIUS on the gateway or how exactly did you configure the authentication?

(Did you commit your changes os is there the little chance that you still have LDAP on portal and gateway and because of that you're asked twice for AD credentials?

I've made some progres - I've changed the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.

If I put the RADIUS first and AD second it asks me first for the AD password and then for the RADIUS OTP code.

Strange, but it is like this.

 

Now I have another problem. I enter the AD password and it gets accepted then I enter the OTP code and I get prompted again and again.

 

In the system log:

 

2018/10/22 00:07:49,,globalprotectgateway-auth-fail,GP-Gateway-N,0,0,general,informational,"GlobalProtect gateway user authentication failed. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Client OS version: Microsoft Windows 10 Pro , 64-bit, Reason: Authentication failed: Timeout , Auth type: profile.",3035522,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-config-succ,Portal1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Config name: Portal_Agent.",3035517,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-auth-succ,Portal1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Auth type: profile.",3035516,0x0,0,0,0,0,,PA-VM-01

 

At the same time in the SafeNet Auth. Service (OTP) I have a successfull authentication:

 

2018-10-22 00:07:24xxxxAuthenticationSuccessMobilePASS06104216192.168.2.192 

 

 

Never mind. The last problem was my mistake. I have changed the secret in NPS and forgot to click OK.

Everything works fine now.

Just in case anyone wants to know, I have written a blog about this topic here:

DOTW: MFA and 2FA for GP and NGFW

 

Be sure to check it out.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 5516 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!