Has anyone had any issues with users connecting in using global protect once they have upgraded from PAN-OS 8.0.15 to any version of 8.1?
I had a change window the other night and updated to 8.1.6 which everything worked fine except for VPN access, people connecting in would constantly be prompted to type in the token passcode. We could see errors on our RADIUS server and RSA servers but nothing in the system log on the firewall. As soon i failed back to using 8.0.15 VPN access was restored. I have logged a tech support call about this and pointed out there was a bug we had last year that was fixed but it seems that maybe in 8.1 either this fix hasnt been applied or in 8.1 GP clients log in differently? I am still waiting for TAC to get back to me but i just thought i would reach out on here as well. We are still running GP version 3.1.5-9 as well
Solved! Go to Solution.
Thats probably because your radius name is the same as your AD name, My AD name is dotted.
so i ran a radius debug and it is not only sending dotted username bur also AD password...... read on....
OK got it sussed...
you need to change the portal app setting "use single sign on" from "yes" to "no". default is yes and this never made much difference before but I do know they made a lot of updates to SSO in 8.1 so probably fixed it too much... Ha ha.
this is now working for me and breaks again wen SSO is set to yes.
it's a shame you cannot replicate the issue on a test box.
when the users were re prompted for passcode was it for the gateway or the portal.
if the gateway only then maybe an issue with authentication overide, if portal (or web page to portal) then it may simply be an issue regarding pap/chap
what was the error on RSA/Radius servers.
from the end users perspective it was from the global protect client that kept on asking them to enter a passcode again so i would say it from the portal, NOT the gateway.
On our RADIUS server you would see 2 hits for each attempt, one success and one failure. Even though at the other end (VPN client end) the user would just be prompted for a passcode again. The RADIUS logs say user authentication failed, check RSA logs.
RSA has a bit more info but seems to point to the user not putting in the correct token code or bad PIN, which i would normally believe but we tried a couple of IT people to test and they couldn't all forget their PIN or type in an incorrect token code at the same time, but then get it working when we tried it on the firewall running 8.0.15. That's why i was thinking maybe something had changed between 8.0 and 8.1 or maybe GP version we have isnt supported in 8.1?
OK thanks for the update.
your monitor/system will show you where the auth is failing but no good to you now i suppose
when the user was prompted to re-enter the passcode, did they wait for it to change?
I even tested it at the same time tried a few things, made sure the i had the correct pin, token wasnt about to expire, even waited for a next token code but still nothing.
It seems there may be nothing obvious that has changed but i will have to wait for TAC to get back to see if they can think of anything, but i am probably going to have to schedule in some time out of hours upgrade again and test it again and again
It is modifying the gateway username, i have no idea why....
it is not using the auth overide cookie and is also adding a dot (.) notation to the logon name.
as you can see below.... the first auth is OK at 12:51:44 so portal is done, 4 seconds later it tries to re-use the passcode but with a dot notation.
I'm gonna try to re configure auth overide.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!