With PanOs and DUO (As 2FA), Entering on Windows Globalprotect ask to duo indefinitely.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

With PanOs and DUO (As 2FA), Entering on Windows Globalprotect ask to duo indefinitely.

L1 Bithead

Hello Everybody,

 

We have recently upgraded our Firewalls to PanOs 10.2.2. We have DUO as a second factor authentication. 

 

The config we have is with "Always On" , from the upgrade, When a Computer starts, the user enter the credentials, and then Globalprotect try to connect to the VPN (Single Sign on active). The trouble arrives if the user forget to answer the second factor popup (because the computer is inside our lan, p.Ex.), Globalprotect retries indefinitely and DUO blocks the user.

 

We doesn't have any problem like this in the past.

 

We had some changes without success, Any help on that?

 

Regards

JL

4 REPLIES 4

Community Team Member

Hi @jlmudarra , if the user answers the 2nd factor prompt are they able to login successfully? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Yes, Always. In just in this PanOs version 10.2.2 that we're experiencing this trouble. The users allways receive the DUO 2FA petition... Is they accepts all OK, if the user don't do anything Globalprotect continues sending more petitions and DUO blocks at 10 attemps.

 

Regards

 

Cyber Elite
Cyber Elite

I always recommend that you enable 2FA/MFA ONLY on the gateway side and not on the portal side of the FW.
This way, they are only needing to answer the MFA 1x and not 2 times.

Help the community: Like helpful comments and mark solutions

Yes, this is not the problem. With our old PanOS version 10.1.4 was working fine, now with the 10.2.2 not. A lot of petitions if the user are not waiting and not accepting the 2FA ticket.

  • 1486 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!