08-10-2022 06:37 AM
Hello Everybody,
We have recently upgraded our Firewalls to PanOs 10.2.2. We have DUO as a second factor authentication.
The config we have is with "Always On" , from the upgrade, When a Computer starts, the user enter the credentials, and then Globalprotect try to connect to the VPN (Single Sign on active). The trouble arrives if the user forget to answer the second factor popup (because the computer is inside our lan, p.Ex.), Globalprotect retries indefinitely and DUO blocks the user.
We doesn't have any problem like this in the past.
We had some changes without success, Any help on that?
Regards
JL
08-11-2022 10:15 PM
Hi @jlmudarra , if the user answers the 2nd factor prompt are they able to login successfully?
08-12-2022 06:39 AM
Yes, Always. In just in this PanOs version 10.2.2 that we're experiencing this trouble. The users allways receive the DUO 2FA petition... Is they accepts all OK, if the user don't do anything Globalprotect continues sending more petitions and DUO blocks at 10 attemps.
Regards
08-15-2022 08:36 AM
I always recommend that you enable 2FA/MFA ONLY on the gateway side and not on the portal side of the FW.
This way, they are only needing to answer the MFA 1x and not 2 times.
08-15-2022 10:55 PM
Yes, this is not the problem. With our old PanOS version 10.1.4 was working fine, now with the 10.2.2 not. A lot of petitions if the user are not waiting and not accepting the 2FA ticket.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
