Native VPN client

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Native VPN client

L4 Transporter

The native client on my windows machine does not seem to be authenticating against my radius/otp/ldap server and my globalprotect client is getting through the portal but failing on the gateway. Any ideas why or how to track it down?


L7 Applicator

if GP is using OTP then it will fail on the gateway as it's probably using the same passcode twice.


if using OTP then setup cookie generation on the portal and cookie auth on the Gateway.



I have have both the portal and the gateway set to use radius and OTP.  So where do I go to setup cookie generation? 

Why does the native client work and not ask for the OTP?

the native client goes to the gateway directly, it does not use the portal so only has to auth once...


the settings are in network/portal/agent/configs.   the settings are under authentication overide.

set the portal to generate cookie.

set portal to portal component only


and network/gateways/agent/client settings/configs..   set this to accept cookie, use same cert for decrypt and set to low lifetime. 2 mins


if you need further help then i will post print screen.




So tsounds like  the native client is not going to work with the OTP setup on the PA thats not good

Hmmmmm ... bit confused as i thought you said from the start that native was failing...


but you then asked "Why does the native client work and not ask for the OTP?".


so... er... erm 


the native should work OK. you can still have Radius auth on the gateway along with cookies. if the client has no cookie then it should challenge for OTP or whatever your Radius requires


I can see where you might read that, no its not failing but it is not asking for a code to authenticate the native client, it is just allowing it with a username and password. So when I say not authenticating against the radius/OTP server I mean not prompting the user for the authcode/token, just letting them right in.


So where is the best place to put the cookies on both the portal and gateway, just the portal or just the gateway. Our token has a limited life

OK so can we just confirm....    how many gateways do you have, is it just one for both GP and Native or one for each.


Correct one gateway for both the native and globalprotect client

OK and do you use multi factor auth on that gateway for GP users (LDAP and Radius)


or do GP users just use Radius.


I believe that the server was set up to do radius/OTP/LDAP and we have both the portal and the gateway set to that same server for multiauth

OK so i would assume that GP users can use ldap or OTP, and native client users can also use either ldap or OTP or have i missed something here..

what happens if native user tries OTP

Regarding your cookie auth for GP OTP.


it depends on how much you trust the users.


you can set the cookie so that once generated it can be used all day to authenticate, probably dangerous if a device is lost or stolen.


you can also choose if it will auth both portal and gateway or just gateway.


this is how i use it.


user connects with GP, GP prompts for username, PIN and OTP. if succesful then GP is issued a cookie, this is what is used to auth to the gateway.


I only allow cookie for 1 min as user should reach the gateway a few seconds after authenticating to the portal.


if the user disconnects or is disconnected then they reconnect when they next need to and enter OTP again.


So do you set the auth profile for both the gateway and the portal to the radius/OTP/LDAP server and then set authentication overide to "Accept cookie for authentication override" on the gateway? Do you have to set "Generate cookie for authentication override on the portal" or no setting on the portal under authentication override?


But I do know I want the prompt for the PIN/token on the portal and then passed to the gateway and a limited cookie time

  • 29 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!