- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-07-2017 04:02 AM
Hi,
There is a deployment with RSA-ID as OTP and GP as VPN client (3.1 or 3.0). PAN-OS version 7.0.14.
After the recent upgrade from 6.x to 7.x an issue showed up - when authenticating from GP - login information is asked twice.
This seems like a known issue:
https://community.rsa.com/docs/DOC-46969
I've adjusted the PA settings according to this: https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-with-RSA-OTP-behavior-change-...
But that did not help, double authentication is still asked every time. GP client was reinstalled and local data cleared.
Basically, after investigation of PA logs, it can be seen that when client connects, he's asked for the username and passcode (PIN+Code). After that the connection is accepted by RADIUS (RSA) and instantly there is a new request made by PA in a blink of an eye and that is rejected. Due to that a new login is required - after that connection succeeds, connection is accepted and VPN connection established.
Is this really how it should work and there is no way around it?
03-09-2017 02:29 AM
Hi,
OTP is Ine Time Password .. but for GP, you need one auth onportal and one on gateway 🙂 Mean you need Two Time Password 🙂
or you just have to confogure on partial cookie generation and allow you rgatewy to use this cookie for authentication.
Hope help.
V.
03-15-2017 01:09 AM
Yea, it should be OTP, but turned out as TTP. 🙂
Well, fine, will upgrade to 7.1 when possible although there was a cookie to feed for the client in 7.0 as well, but that did not do the trick. We'll see if this will make it better.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!