Global Protect / DUO 2F

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect / DUO 2F

L1 Bithead

Yesterday, I posted a very detailed message regarding GP / MF.  Let me ask this... maybe to broad of a question...

 

I integrated PAN GP 2f using DUO and all works great ( I will get to the one exception ).  First factor is LDAP and 2nd factor is radius against an in-house DUO Proxy application ( 1812 ).  Remote user start GP client... enters creds.. ldap auth is good... 2f is radius... this is good.... duo send message to the iphone duo app... select accept and all is fine and the user is successfully connected.  The exception... if DUO is set to actually RING the user.... user receives the DUO call... pick and hit # to accept and at that instant the GP client closes and no connection.  If you see my post from yesterday you will see details.

 

One very interesting footnote... last night I tested, just to better captured logs and ALL WORKED!!  And I just tested again and all works... strange behavior.

 

For what I have mentioned here.... has anyone experienced this DUO phone call behavior ???

 

Thanks... Tom

2 REPLIES 2

L6 Presenter

I have occasionally seen that behavior, where the GP client immediately closes/fails the Gateway connection attempt. Cancelling the connection or (re)selecting a different Portal seems to fix it. You may also want to look at the system logs and see if the DUO radius server sent back a failed result to the authentication report.

L1 Bithead

Adrian... Thanks for your reply, much appreciated.  This is a strange, strange problem.  For me, everything works great with DUO auth, for others either DUO does not work at all ( with an actual call ) or all works and then does not.  Firewall logs look great ( authd.log  and GP logs, except when DUO Call fails, the GP logs do not hand out an address from the pool, which is expected when the DUO fails.  But authd logs are grerat... never a problem... all protocol handshake is fine... even when this fails for the user and I am very experienced with troubleshooting raidus / ldap / GP..... but the logs look great.  I can also use multiple different clients and never a problem for me.  Also, this is a new PAN install... I replaced an ASA and prior to the PAN, the customer was using DUO with the callback feature and no problems.  I have a case into PAN PS.  This is very strange.  I wanted the user to help me with a couple of tests.... have them login as me and me as them and observe results, but they could not work with me. I am trying to find the very difficult failure pattern.

  • 1463 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!