Recently I enabled IPSEC and X-Auth for the GlobalProtect Gateway, hoping to let my mobile users could use remote IPSEC access VPN. But it didn't work as my iPhone kept showing "user authentication failed'. I am pretty sure the configs on both PAN and Mobile are correct. How I should troubleshoot this?
I use Radius and 2FA for GlobalProtect client's authentication. I suspect if 2FA was the one causing the authentication failed?
Agreed that it would be the external authentication that is your issue.
ssh into your FW and run
tail follow -yes mp.log authd.log and attempt your log in.
You should be able to see where your auth failed.
Recall that the FW is not the one authenticating you.. the Radius server is.
So if your Radius server IP and the preshared key is correct (and ensure you are doing PAP exclusively) then it would be the Radius that would your failing point.
Thanks for the reply.
I did tail the log, it showed as below
it turned out that iPhone was unable to prompt for the 2FA authentication. I was prompted for user account authentication. No mater what I input: OTP or my credential. It always shows
Negotiation with the VPN server failed.
Hello again. As you pointed out. there still appears to be a configuration for requiring OTP. If it was sent for LDAP authentication, then it should not be be asking for OTP. Why does the screen still show this?
If you disabled this requirement, then I believe the FW would work. If you need OTP, then when you pass whatever OTP or creds, you are sending them TO the the Radius server.
You can try to config local authentication (Device ==> Local Users) and create an Auth Profile that points to the Local Users. Do this as test. If you can authenticate locally, but cannot when you implement Radius, then you would come to the conclusion that it is the external authentication profile that is preventing access.
The best and recommended course, is to purchase a Global Protect gateway subscription license, ideally, this is the proper way to implement Global Protect for mobile devices. The XAuth was really for Linux machines.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!