GlobalProtect - Authentication Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect - Authentication Issues

L1 Bithead

Hi all,

 

Fairly new to PAN and in the process of an ASA migration. Despite TAC/VAR assistance, I'm still having some issues with my GlobalProtect user experience. Fortunately it's not in production yet but the feedback has been inconsistent.

 

 

Business Requirements:

-Use GlobalProtect to tunnel all external user traffic back to HA pair for web filtering/visibility

-Only enterprise devices can connect; use existing PKI to validate

-Approved users can manually switch to an "Internal VPN" gateway to access restricted resources

-These approved users will go thru a OTP leveraging soft tokens

-Users in the office should not have to enter credentials to connect, but their GP client should connect for accurate User-ID information

 

Current Portal Config:

-1 portal configured with an authentication profile linking to Cisco ISE; strictly AD check, no OTP

-The portal is configured for a certificate profile (internal CA but no usernames)

-The portal generates/accepted a 24 hour cookie for authentication override

-Manual gateways are configured for dynamic OTP (instead of passing the credentials)

-There are 2 agent configurations:

        1. First config allows access to a single gateway that only allows web traffic for visibility

        2. Second config allows the web traffic gateway and an internal resources gateway for true "VPN" experience

-The app is configured for SSO and User-Logon (Always On) mode; cannot be disabled by user and must connect for network access (these settings are to meet the business requirement of preventing unfettered Web access for remote associates)

 

Current Gateway Config:

-The Web Filter gateway is pointing to Cisco ISE (I expect this to recycle the portal credentials without issue)

-The Internal VPN gateway points to Azure MFA:

        1. This is our only means of leveraging MFA; the same AD check should succeed and issue a challenge if the user

             is enrolled in MFA

        2. I do not expect to recycle credentials as this is accessed via manual selection

                A. Portal configuration specifies that this component requires OTP/MFA

-I do have an Internal Gateway via 'Internal Host Detection' and it also points at Cisco ISE 

        1. This is working fine; the macOS clients do not get SSO, as the GP app config option is for Windows only

 

Issues:

-Sometimes we receive multiple password prompts and OTP prompts

-I do not expect to receive a password prompt due to the SSO option, but sometimes do when connecting 

-The OTP prompt is 'approve' so I am certain duplicate prompts are not due to typos

-I occassionally do not see ISE entries after successful authentication (which I should see when connecting to the portal) but this may be due to authentication cookies being generated/accepted

 

Questions:

-The default behavior would pass the AD credentials used in the Portal to the Gateway, correct?

-Are credentials passed from one gateway to another?

        1. As mentioned, I have an initial gateway that everyone ends up on; some users can manually select another gateway

                A. This process always results in a password prompt followed by a OTP prompt

-Exactly what does the Authentication Override option do?

        1. I have read documentation that it is for fewer PW/OTP prompts, but how do I verify it is working?

                A. I have never been able to logout/login without a password prompt/OTP, for reference

-How do reboots/returning from sleep/hibernation effect the user experience?

 

I can post screenshots and elaborate further if required.

 

I have already gone through the following links:

-https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

-https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/authentica...

 

We are running PAN-OS 8.1.4 and GP 4.1.6.12 on PA5250s.

 

Thank you

 

 

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @AdamSC

 

Congratulations, directly with your first post here in the great Live community you have reached the champions league :Pfor global protect configurations (SSO, MFA, Always-On, Enforce GP for Network Access). Unfortunately I am dealing with such a configuration since one year and so far I still need to have workarounds configured to have it working without GP being a too big pain for the users.

 

Let's start. So far SSO and MFA is actually a bad idea except if you ONLY use TOTP (or something else that does not result in a direct notification for the users). The issue here is, global protect sends an authentication to the portal as soon the login is done. Unfortunately this is done in the background and at this stage global protect is not ready to show an OTP prompt to the user so the authentication fails directly. Immediately the next authentication attempt (with the credentials GP has because of SSO) starts but this time the additional prompt is shown to the user and as you describe it the user has already received multiple MFA/OTP notifications. When we first experianced this issue one year ago there were some meetings with paloalto and the result was a feature request where we hope will be implemented in the next GP major version. With this feature request the behaviour you need should be implemented without bothering the users with too much useless notifications. Unfortunately this explanation does not really help you, so I try to explain how I solved this...

On the portal I use autentication override with a cookie that is issues and used only on the portal so here the user has to log in only once and starting after this login the cookie is used to authenticate the user to the portal. On the gateway I activated the setting that requires dynamic passwords for external gateways. The tradeoff is that for every login from external users have to enter username, password and OTP. But so far this is the best working config I have found when the requirements are: SSO, MFA, Always-On and enforce GP. (If someone has a better solution PLEASE share it 😛   )

 

 

Cyber Elite
Cyber Elite

@AdamSC wrote:

The default behavior would pass the AD credentials used in the Portal to the Gateway, correct?


Yes, but in case of SSO these credentials are passed to portal and gateway.

 


@AdamSC wrote:
-Are credentials passed from one gateway to another?

Not from one gateway to another but from SSO to everything else.

 


@AdamSC wrote:

1. As mentioned, I have an initial gateway that everyone ends up on; some users can manually select another gateway

                A. This process always results in a password prompt followed by a OTP prompt


Do you have the setting "require dynamic password" enabled for external gateways?

 


@AdamSC wrote:

-Exactly what does the Authentication Override option do?


It gives you the possibility to issue cookies to users when they successfully login. With the application override you can also specify how long these cookies are valid so they can be used for aurhentication instead of requiring rhe user to enter username/password every time. An example is if you want to have a vpn access from external with MFA. Without application override the user hase to log in to the gateway and to the portal. With the application override a cookie is issued after MFA login on the portal. This cookie is then used on the gateway which result in no additional MFA login on the gateway.

 


@AdamSC wrote:

1. I have read documentation that it is for fewer PW/OTP prompts, but how do I verify it is working?


In the system logs on the firewall you can see if a cookie was used for authentication. Or test it on a gateway that required MFA. Issue a cookie that is valid for a specified time and also accept it for authentication. In the specified timeframe you will not be asked for an OTP (if require dynamic passwords is disabled.

 


@AdamSC wrote:

A. I have never been able to logout/login without a password prompt/OTP, for reference


Did you enable also the setting to accept cookies on either the portal or gateway?

 


@AdamSC wrote:

-How do reboots/returning from sleep/hibernation effect the user experience?


Good question where I don't have consistent answer. It depends on the hardware/driver, software installed - specially with additional credential provider and/or if there was a network change after wake up. Probably even more, bur most of the time it works properly and sometime there are these strange situations that noone knows a solution 

L6 Presenter

I'm actually in a fairly similar situation...Migrating from Cisco 5580s to 5220 with GP.  We're running 8.0.12 with 4.1.6 GP

 

We have the following business requirements:

 

- Pre-Login

- Always On

- Machine cert Based auth

- Internal host detection so tunnel isn't established when inside forcing all traffic through it

 

 

So it almost feels like we have the same requirements, but you do have a few extras in there.

 

I will say that TAC wasn't helpful in understanding what I was trying to get working, or maybe I just didn't know how to relay my needs.  I just this working through trial and error and 4 different support cases.  In the end for me it just came down to using the correct cert profiles for the correct use case.

 

One potential issue I can see is if you're planning on using machine cert for auth then you're going to have issues defining different policies for users, so just keep that in mind. 

I can see cookie authentication in the logs, so that must be working.

 

I think one thing that's different here is that I am not doing MFA on the portal, but am on one single gateway. The business essentially wants people to be able to turn their laptops on and connect transparently (assuming the machine certificate check is valid and the SSO credentials succeed) for web access only. A lot of employees do not need internal resources, but if they did, the second gateway (manually selected) prompts for a password + MFA (Microsoft Authenticator). 

 

I've attached a few screenshots of my configuration. From what I can tell:

-The Web Filter VPN has the highest priority and is connected to automatically. It does not ask for credentials

        Q: Is this because of the authentication cookie, or is it due to the default behavior of passing credentials?

-The Internal VPN is manual only and the configuration states that it does require dynamic passwords. When selecting this, I enter my password and then receive an MFA prompt on my phone. Do note that this RADIUS server is not the same one as the portal.

        Q: Is this expected behavior?

 

It looks like my gateways are not configured to accept a cookie, so technically speaking, what is driving the auto-login from portal to "Web Filter" gateway? I was believing the SSO option under Portal > Agent > Agent Config > App was essentially providing SSO to the portal from Windows (Kerberos). If that is disabled, I am still not expecting to enter my password in for the Web Filter gateway (but will for the portal). I'll test that shortly.

 

Also, my certificate profile is strictly looking for the presence of a machine cert signed by the internal CA. It's not using it for 'real' authentication and does not populate the username field. 

 

I'm curious about the logs. It seems like there's a lot of redundancy with authentication/logins. Is this normal?

 

I greatly appreciate the help.

 

 Portal1Portal1Portal2Portal2Portal3Portal3GW1GW1GW2GW2GW3GW3Cert_ProfileCert_Profile

Log1Log1Log2Log2Log3Log3Log4Log4Log5Log5

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!