GlobalProtect 2FA

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect 2FA

L2 Linker



PaloAlto VM-100 8.0.13


I've been trying to add 2FA to our GlobalProtect Gateway. I've followed the instructions described here:


Probably I've must have done something wrong, because I am prompted twice to enter the LDAP (AD) password insted of LDAP and RADIUS.


Could you please point me to where I made the mistake?


Thank you a lot.


L5 Sessionator

Hi @Filip_Fronczak


Things that I can think of that could be causing this:


Save User Credentials - Must be set to no, or saving username only.

SSO must be disabled in the App configuration. (portals -> agent -> app)

Is the authentication profile for the gateway set to the one with the RADIUS server profile attached?






What does your RADIUS server require for authentication? Only the second factor or username, password and second factor?

Do you want wo use LDAP on the portal and RADIUS on the gateway or how exactly did you configure the authentication?

(Did you commit your changes os is there the little chance that you still have LDAP on portal and gateway and because of that you're asked twice for AD credentials?

I've made some progres - I've changed the order of authentication profiles in: GlobalProtect Gateway Configuration/Authentication.

If I put the RADIUS first and AD second it asks me first for the AD password and then for the RADIUS OTP code.

Strange, but it is like this.


Now I have another problem. I enter the AD password and it gets accepted then I enter the OTP code and I get prompted again and again.


In the system log:


2018/10/22 00:07:49,,globalprotectgateway-auth-fail,GP-Gateway-N,0,0,general,informational,"GlobalProtect gateway user authentication failed. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Client OS version: Microsoft Windows 10 Pro , 64-bit, Reason: Authentication failed: Timeout , Auth type: profile.",3035522,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-config-succ,Portal1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Config name: Portal_Agent.",3035517,0x0,0,0,0,0,,PA-VM-01
2018/10/22 00:07:04,,globalprotectportal-auth-succ,Portal1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: nn.nn.nn.nn, Source region: xx, User name: xxxx, Auth type: profile.",3035516,0x0,0,0,0,0,,PA-VM-01


At the same time in the SafeNet Auth. Service (OTP) I have a successfull authentication:


2018-10-22 00:07:24xxxxAuthenticationSuccessMobilePASS06104216192.168.2.192 



Never mind. The last problem was my mistake. I have changed the secret in NPS and forgot to click OK.

Everything works fine now.

Just in case anyone wants to know, I have written a blog about this topic here:

DOTW: MFA and 2FA for GP and NGFW


Be sure to check it out.

LIVEcommunity team member
Stay Secure,
Don't forget to Like items if a post is helpful to you!
  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!