GlobalProtect requires token twice - Possible RSA inconvenience

L0 Member

GlobalProtect requires token twice - Possible RSA inconvenience

Hi Community. I have an issue on GP: it makes requests for token twice to get through VPN to my network.


I discovered the RSAs feature "Next Token Code Mode", but believe PA (5050 - PAN-OS 7.1.10) has nothing to do when a NTC is requested, so I recommended my customer to open a case with RSA.


Instead, my customer told me RSA answered this:


Telling him that this is not a RSA issue, but a Palo Alto issue.


Do you have any info regarding this issue?



Community Team Member

Posted in the wrong group. 

Should be posted in General Topics and not Community Feedback.   

Moving now.

Stay Secure,
End of line
L7 Applicator

Have you configured "authentication overide" in the portal agent tab.


the portal will request authentication and then generate a cookie to authenticate you on the gateway. you need to "accept cookie authentication" in the gateway - agent - client settings - config for this to work.


if you do not have this configured then the portal will request a passcode and then the gateway.



L7 Applicator
L0 Member

I think the first authentication dialogue is for portal, and the second time is for gateway. Since 7.x,  it uses the encrypted cookies to pass authentication information from portal to gateway. So that you will have only once for authentication.

L1 Bithead

I run into the exact issue with PAN v8.0.12 with RSA GP client prompting RSA username and passcode twice (first will fail, and the second will succeed).  This issue only happens with GP clients (I've tried both v4.1.6 and v4.1.8).  


I set the "authentication overide" in the portal | agent | config | authentication, and choose "generate cookies for authentication overide" and "choose cerftificate to encrypt/decrypt cookies"


In the Gateways | Agent | Client Settings | Configs | Authentication Override | choose ""accept cookies for authentication overide" and "choose cerftificate to encrypt/decrypt cookies"


GP client worked great with RSA after the configuration change.


Thanks MickBall for your help!


Note: This issue happened to me only when using global protect client.  RSA works just fine with Clientless SSL VPN. 


Tags (3)
L4 Transporter

When you are connecting to Global Protect you actually face two authentications: one authentication for the portal and one for the gateway. By default PAN firewall will try to use the same credentials provided for the portal again for the gateway. If you are using LDAP authentication for both (portal and gateway) the user will be asked for credetials only once, and he will get the impretion that only one authentication is happening.


Howeve if youare using OTP tokens the default behaviour wouldn't work. The reason for that is - once the user put his OTP when prompted by the portal to authenticate, the firewall will cache the OTP and will try to sent it again to the Radius server (RSA server) when prompted to authenticate to the gateway, howeve since this token has been already used the RSA will reply to the firewall with Access Reject message, which will force the firewall to prompt the user to enter credentials to authenticate to the gateway.


That is why during user login in the RSA logs you probably will see:

- one successful login message (when user has authenticated with OTP to the portal)

- one failed login message (when firewall is using the same OTP to authenticate gainst the gateway)

- one successful login message (when user generate new OTP and authenticat to the gateway)


As other already suggested the solution will be to enable Authentication Override cookies. This will generate and install a auth. cookie on the user PC once he authenticate to the portal, when prompted to authenticate to the gateway the PC will use the cookie instead of prompting the user for credentials again.


My suggestion:
- For the portal, enable only "generate cookie for authentication override". Do not enable "accept cookies", that way users will always be prompted to authenticate when connecting to the portal

- For the gateway, enable only "accept cookie" and set cookie lifetime to the minumim (one minute)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!