For globalprotect I have a radius server profile with two servers in it. I have noticed that all authentication goes to the first server in the list all the time. And that works. However, in testing, I have shut off the first server and the firewall never tries to send authentcation to the second server. If I use the "test authentication" command on the firewall CLI, it does fail over to the second server and authentication succeeds. If I go back to the globalprotect client and try again, the firewall only tries the first server and authentication fails. I have verified this with packet captures on the actual radius servers.
This seems to be incorrect behavior. Is it possible that there is a known bug about this? I'm using the same authentication profile in the globalprotect portal configuration as I am on the test CLI command.
To know if you are hitting a known bug, we would need to know your PAN-OS version and GP agent version ;-)
I recall this issue a while ago this issue was brought up and the fix was modifying the retries and timout values lower; something with that agent version was timing out the authentication on the agent side of things before getting a response. That particular issue if I recall correctly had much higher values in both fields however.
Our PAN-OS is 8.0.10. Maintenance night is next Friday, we'll jump to 8.0.13 at that point unless 8.0.14 gets released before then.
Globalprotect is 4.1.5.
I tried setting the timeout to 1 second and retries to 1 in the server profile, but that didn't make a difference. The globalprotect client says "connecting..." for a good 30 seconds before giving up (I haven't timed it, but it's feels long). The CLI fails over to the second server in the 1 second timeout that's configured.
I don't think it's your PAN-OS version, nothing in the release notes point towards a fix for anything to do with RADIUS between those versions. You could be running into GPC-7215 if you are using SSO.
yes @BPry i remember that post too!
unfortunately the poster never updated so still hanging...
the main pont to remember is that the max retries is 5.
so if you have 2 servers then only set retries to 3. (or less)
I have just tested 4.15, i have radius server profile with 2 laptops running wireshark.
the timeout is 3 and retries is 3.
i see the first laptop get 3 radius requests with about a 3 to 3.5 second interval.
i then see laptop 2 get 2 radius requests (total 5) with similar intervals.
as soon as the second one times out my GP client re prompts for username and password so all looking OK.
i cannot think why you would have such an issue... i have tested this on V7.1x and 8.08
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!