Native Duo 2FA for GlobalProtect can't select Auth Profile or Auth Policy Zone


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

Native Duo 2FA for GlobalProtect can't select Auth Profile or Auth Policy Zone

I'm moving to LDAP auth with Duo 2FA. We need a better answer than RADIUS as we've found Duo's Authentication Proxy functionally limited and crash-prone. Using Mitch Densley's video guide for PAN-OS 8.x as a starting point, I've gotten my Duo application set up, along with an authentication profile.


However, when I try to create an Authentication Enforcement object, my Duoized authentication profile doesn't appear on the menu (only "None"). If I skip that step momentarily and try to create an authentication policy, I can't select the zone my captive portal interface is in.  Can't tell what I'm missing or how my environment differs from the how-to-- I'm using PAN-OS 9.0.4 in an HA cluster managed by Panorama.

L7 Applicator

Did you create an object in vsys1 instead of 'shared' ?

Tom Piens -
Like my answer? check out my book!
L1 Bithead

For the Authentication Enforcement Object (Objects > Authentication), I found creating a shared object (one used across all device groups) made the authentication profiles invisible. When I created the AEO in the device group covered by that particular template stack, the profiles were available to select. This occurred because I was using Panorama for device management. I'd have to walk back through the exercise on a stand-alone device to see if there's a similar distinction between the device level shared context and a specific vsys. (I only have single instances on my firewalls, so nothing really needs to be "shared.") It's not exactly as @reaper suggested, but their suggestion took me to the right place.


I'm skipping the authentication policy step since further reading suggests it may not be needed for GlobalProtect. May have to revisit it after some testing.


So short answer is: Just turn off the "Shared" checkbox when setting authentication enforcement.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!