This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA 7.0, GP and RSA-ID double authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA 7.0, GP and RSA-ID double authentication

nikoo
L3 Networker

‎03-07-2017 04:02 AM

Hi,

 

There is a deployment with RSA-ID as OTP and GP as VPN client (3.1 or 3.0). PAN-OS version 7.0.14.

After the recent upgrade from 6.x to 7.x an issue showed up - when authenticating from GP - login information is asked twice.

This seems like a known issue:

https://community.rsa.com/docs/DOC-46969

I've adjusted the PA settings according to this: https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-with-RSA-OTP-behavior-change-...

But that did not help, double authentication is still asked every time. GP client was reinstalled and local data cleared.

 

Basically, after investigation of PA logs, it can be seen that when client connects, he's asked for the username and passcode (PIN+Code). After that the connection is accepted by RADIUS (RSA) and instantly there is a new request made by PA in a blink of an eye and that is rejected. Due to that a new login is required - after that connection succeeds, connection is accepted and VPN connection established.

 

Is this really how it should work and there is no way around it? 

0 Likes Likes
3 REPLIES 3

nikoo
L3 Networker

‎03-09-2017 12:18 AM

A little bump, maybe still someone has some insight?

0 Likes Likes

VinceM
L5 Sessionator

‎03-09-2017 02:29 AM

Hi,

 

OTP is Ine Time Password .. but for GP, you need one auth onportal and one on gateway 🙂 Mean you need Two Time Password 🙂

or you just have to confogure on partial cookie generation and allow you rgatewy to use this cookie for authentication.

https://www.paloaltonetworks.com.br/documentation/71/globalprotect/globalprotect-admin-guide/set-up-...

 

Hope help.

 

V.

0 Likes Likes

nikoo
L3 Networker
In response to VinceM

‎03-15-2017 01:09 AM

Yea, it should be OTP, but turned out as TTP. 🙂

 

Well, fine, will upgrade to 7.1 when possible although there was a cookie to feed for the client in 7.0 as well, but that did not do the trick. We'll see if this will make it better.

0 Likes Likes
  • 3060 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks