09-04-2018 10:01 AM - edited 09-04-2018 10:03 AM
I am testing Multi Factor Authentication with Okta. I have configured everything (including certificate profile) as per the guide as well as Okta specific YouTube video, The first factor (active directory auth) is working fine, however, I am getting "SSL Connect Error" in the authentication logs. I could see the 443 connections going to Okta. How can I troubleshoot the issue? How do I get visibility in the SSL connect error?
> test mfa-vendors mfa-server-profile <mfa-profile-name>
{"res":"FAIL","msg":"SSL connect error"}
09-06-2018 09:04 AM
As per PAN support,
It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.
09-04-2018 11:06 AM
I captured the traffic and can see that the firewall is using TLS 1.0 for auth requests. Is there any way to enforce TLS 1.2? Okta has enforced TLS 1.2.
09-05-2018 11:49 PM
We are encountering exact same issue the only difference is we are unable to find any attempt traffic against Okta. Keen to find out a way to see more "SSL Connect Error"
09-06-2018 08:05 AM
The firewall I am testing MFA on, is in the internal network and I have one more PAN firewall on the internet edge. I did packet capture to confirm behavior from the PAN firewall (TLS 1.0) and my machine browser (TLS 1.2).
09-06-2018 09:04 AM
As per PAN support,
It is a known issue - PAN-95152 (TLS connection to Okta server is rejected because of TLS 1.0 from FW). It is reported on 8.1.0 and fixed versions are 8.0.13 (release ETA 27 sept), 8.1.2.
09-06-2018 05:08 PM
hi, this will be fixed in the next minor release of PANOS, 8.0.13 and 8.1.2
10-02-2018 01:14 PM
I didn't see PAN-95152 in the release notes for 8.0.13. However, after upgrading to 8.0.13 my MFA cert profile issue disappeared and is successfully authenticating users hitting authentication policies now.
I am not getting prompts in GlobalProtect for non-web based applications still. That doesn't work on 8.1.3 either. I had it working in the 8.0.0 beta but hadn't tried it out since but now have a use case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
