Hi, we have a few clients using GlobalProtect as VPN (various versions), some are authenticating using 2FA, using SecurEnvoy as a RADIUS server.
What we're seeing is as follows - the user has an authenticated VPN connection, then their network connection drops for some reason (they put the laptop to sleep, their wireless goes off, etc. etc. - the cause doesn't appear to be relevant).
When the physical network connection re-establishes, GlobalProtect tries to re-establish the VPN link. When it does, as far as the user sees, they're prompted for a new SecurEnvoy code, they enter it, all's well. However, what has happened in the background, it seems, is that GP has already tried to use its previous SecurEnvoy code to authenticate with RADIUS. That fails, obviously - SecurEnvoy reports a "Soft Token Already Used" error, GP shows "Invalid username or password" in the system log. SecurEnvoy also increments its bad password count for that user. Only then does the user get prompted for a new code.
If the user then dismisses the prompt to sign in to VPN - either by clicking "cancel" or the "X" - the process repeats. If they dismiss the prompt to connect ten times (the max number of failed logins permitted in SecurEnvoy), their account is disabled and they can't connect at all until their account is re-enabled. That ten times can happen in the space of 6 or 7 minutes.
We've mitigated this to some extent with advising users on the correct behaviour - just log in the first time when prompted - and the number of lockouts has dropped, but we still see the errors, and it's still a potential problem.
Is this the expected behaviour from GlobalProtect? Anyone else seen this kind of behaviour? With other RADIUS solutions?
Issue being seen on - for example - Software Version 7.1.0, GlobalProtect Agent 3.1.4 with SecurEnvoy Version 7.2.504 running on 2008 R2
Appreciate any comments.
we have over 3000 users on globalprotect that authenticate via sucurenvoy and are having no issues. i am happy to assist further if needed but firstly i would ensure that you do not have "save users credentials" enabled.
are you using one time passcodes or 7 day validation with securenvoy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!