GlobalProtect 2FA

Reply
Highlighted
L2 Linker

GlobalProtect 2FA

Hi,

 

PaloAlto VM-100 8.0.13

 

I've been trying to add 2FA to our GlobalProtect Gateway. I've followed the instructions described here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

Probably I've must have done something wrong, because I am prompted twice to enter the LDAP (AD) password insted of LDAP and RADIUS.

 

Could you please point me to where I made the mistake?

 

Thank you a lot.

Highlighted
L5 Sessionator

Hi @Filip_Fronczak

 

Things that I can think of that could be causing this:

 

Save User Credentials - Must be set to no, or saving username only.

SSO must be disabled in the App configuration. (portals -> agent -> app)

Is the authentication profile for the gateway set to the one with the RADIUS server profile attached?

 

Thanks,

Luke.

 

Highlighted
Cyber Elite

@Filip_Fronczak

What does your RADIUS server require for authentication? Only the second factor or username, password and second factor?

Do you want wo use LDAP on the portal and RADIUS on the gateway or how exactly did you configure the authentication?

(Did you commit your changes os is there the little chance that you still have LDAP on portal and gateway and because of that you're asked twice for AD credentials?

Highlighted
L2 Linker

I've made some progres - I've changed the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.

If I put the RADIUS first and AD second it asks me first for the AD password and then for the RADIUS OTP code.

Strange, but it is like this.

 

Now I have another problem. I enter the AD password and it gets accepted then I enter the OTP code and I get prompted again and again.

 

In the system log:

 

2018/10/22 00:07:49,,globalprotectgateway-auth-fail,GP-Gateway-N,0,0,general,informational,"GlobalProtect gateway user authentication failed. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Client OS version: Microsoft Windows 10 Pro , 64-bit, Reason: Authentication failed: Timeout , Auth type: profile.",3035522,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-config-succ,Portal1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Config name: Portal_Agent.",3035517,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-auth-succ,Portal1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Auth type: profile.",3035516,0x0,0,0,0,0,,PA-VM-01

 

At the same time in the SafeNet Auth. Service (OTP) I have a successfull authentication:

 

2018-10-22 00:07:24xxxxAuthenticationSuccessMobilePASS06104216192.168.2.192 

 

 

Highlighted
L2 Linker

Never mind. The last problem was my mistake. I have changed the secret in NPS and forgot to click OK.

Everything works fine now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!