PA 7.0, GP and RSA-ID double authentication

cancel
Showing results for 
Search instead for 
Did you mean: 

PA 7.0, GP and RSA-ID double authentication

L3 Networker

Hi,

 

There is a deployment with RSA-ID as OTP and GP as VPN client (3.1 or 3.0). PAN-OS version 7.0.14.

After the recent upgrade from 6.x to 7.x an issue showed up - when authenticating from GP - login information is asked twice.

This seems like a known issue:

https://community.rsa.com/docs/DOC-46969

I've adjusted the PA settings according to this: https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-with-RSA-OTP-behavior-change-...

But that did not help, double authentication is still asked every time. GP client was reinstalled and local data cleared.

 

Basically, after investigation of PA logs, it can be seen that when client connects, he's asked for the username and passcode (PIN+Code). After that the connection is accepted by RADIUS (RSA) and instantly there is a new request made by PA in a blink of an eye and that is rejected. Due to that a new login is required - after that connection succeeds, connection is accepted and VPN connection established.

 

Is this really how it should work and there is no way around it? 

3 REPLIES 3

L3 Networker

A little bump, maybe still someone has some insight?

L5 Sessionator

Hi,

 

OTP is Ine Time Password .. but for GP, you need one auth onportal and one on gateway 🙂 Mean you need Two Time Password 🙂

or you just have to confogure on partial cookie generation and allow you rgatewy to use this cookie for authentication.

https://www.paloaltonetworks.com.br/documentation/71/globalprotect/globalprotect-admin-guide/set-up-...

 

Hope help.

 

V.

Yea, it should be OTP, but turned out as TTP. 🙂

 

Well, fine, will upgrade to 7.1 when possible although there was a cookie to feed for the client in 7.0 as well, but that did not do the trick. We'll see if this will make it better.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!