Global Protect MFA Looping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect MFA Looping

L1 Bithead

Hello, I am facing a weird issue with Global Protect where after a user authenticates via Okta Radius to the Portal and enters their MFA SMS Key the GP Agent asks for the user to enter the MFA SMS Key again with the response of ('A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.'). Due to this users are unable to authenticate to the portal successfully. From the OKTA logs, I show successful end-to-end authentication, however, GP Monitor Logs show that the authentication response was empty or invalid. I have also pasted mp-auth-logs from Portal/Gateway below:

 

mp-auth-logs from Portal/Gateway

2023-10-18 20:35:03.131 -0500 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: first.last@domain.com

2023-10-18 20:35:03.131 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP

2023-10-18 20:35:03.131 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:442): added challenge state to access request of length 152

2023-10-18 20:35:03.843 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:284): resp_code = RAD_ACCESS_ACCEPT

2023-10-18 20:35:03.843 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:317): reply msg = Welcome first.last@domain.com!

2023-10-18 20:35:03.843 -0500 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1684): Got response for user: "first.last@domain.com"

2023-10-18 20:35:03.843 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth success

2023-10-18 20:35:03.843 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4575): Authentication success: <profile: "auth-radius-profile", vsys: "vsys1", username "first.last@domain.com">

2023-10-18 20:35:03.843 -0500 authenticated for user 'first.last@domain.com'. auth profile 'GP-Auth-Sequence', vsys 'vsys1', server profile 'okta-radius-profile-1', server address 'X.X.X.X', auth protocol 'PAP', reply message 'Welcome first.last@domain.com!' From: X.X.X.X.

2023-10-18 20:35:03.843 -0500 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_SUCCESS auth response for user 'first.last@domain.com' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7283618077013479186) (reply message 'Welcome first.last@domain.com!')

2023-10-18 20:35:04.099 -0500 debug: pan_auth_request_process(pan_auth_state_engine.c:3617): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 36578, body length 2448

2023-10-18 20:35:04.099 -0500 debug: _authenticate_initial(pan_auth_state_engine.c:2459): Trying to authenticate (init auth): <profile: "GP-Auth-Sequence", vsys: "vsys1", policy: "", username "first.last@domain.com"> ; timeout setting: 115 secs ; authd id: 7283618077013479188

2023-10-18 20:35:04.099 -0500 debug: _get_auth_prof_detail(pan_auth_util.c:1112): non-admin user thru Global Protect "first.last@domain.com" ; auth profile "GP-Auth-Sequence" ; vsys "vsys1"

2023-10-18 20:35:04.099 -0500 debug: _get_authseq_profile(pan_auth_util.c:893): Auth profile/vsys (GP-Auth-Sequence/vsys1) is auth sequence

2023-10-18 20:35:04.099 -0500 debug: _populate_authseq_auth_vec_n_vsys_vec(pan_auth_util.c:835): auth sequence "GP-Auth-Sequence" enabled flag: use-domain-find-profile

2023-10-18 20:35:04.099 -0500 debug: _has_domain_in_request(pan_auth_util.c:766): Extracted domain info "domain.com" from user name "first.last@domain.com"

2023-10-18 20:35:04.099 -0500 debug: _populate_authseq_auth_vec_n_vsys_vec(pan_auth_util.c:842): can not find auth profile in auth sequence "GP-Auth-Sequence", which has domain "domain.com"2023-10-18 20:35:04.099 -0500 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for auth-radius-profile-vsys1-mfa

2023-10-18 20:35:04.099 -0500 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: auth-radius-profile/vsys1)

2023-10-18 20:35:04.100 -0500 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. (prof/vsys: auth-radius-profile/vsys1)

2023-10-18 20:35:04.100 -0500 debug: _authenticate_initial(pan_auth_state_engine.c:2636): Using auth seq, saving original username first.last@domain.com from request

2023-10-18 20:35:04.100 -0500 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:571): This is a single vsys platform, group check for allow list is performed on "vsys1"

2023-10-18 20:35:04.100 -0500 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1892): Authenticating user "first.last@domain.com" with <profile: "auth-radius-profile", vsys: "vsys1">, which is Auth Profile 1 of 2 in <sequence "GP-Auth-Sequence", vsys "vsys1">

2023-10-18 20:35:04.100 -0500 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for auth-radius-profile-vsys1

2023-10-18 20:35:04.100 -0500 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: first.last@domain.com

2023-10-18 20:35:04.100 -0500 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP

2023-10-18 20:35:06.267 -0500 debug: _log_radius_state(pan_authd_radius_prot.c:556): Got challenge state: "ah9wTZBpbVx1AMGNqbjB4UlRSbFC0HrBk6SqqYey8sD4K5VeLflDIQ6kK96RuXhOQb80KNWj8BJjPFGzIOwE+ekD2zVw+SOyS2bcCdmgKDev9Wfchgt6GmLdLMJIY6p32Hk4PQngFhmSgr9zpHHwGA==" of size 152

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:292): resp_code = RAD_ACCESS_CHALLENGE

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:314): challenge state = ah9wTZBpbVx1AMGNqbjB4UlRSbFC0HrBk6SqqYey8sD4K5VeLflDIQ6kK96RuXhOQb80KNWj8BJjPFGzIOwE+ekD2zVw+SOyS2bcCdmgKDev9Wfchgt6GmLdLMJIY6p32Hk4PQngFhmSgr9zpHHwGA==

2023-10-18 20:35:06.267 -0500 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:317): reply msg = A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.

2023-10-18 20:35:06.267 -0500 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1684): Got response for user: "first.last@domain.com"

2023-10-18 20:35:06.267 -0500 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth challenged

2023-10-18 20:35:06.267 -0500 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_CHLNGE auth response for user 'first.last@domain.com' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7283618077013479188) (reply message 'A message was sent or a call was made to the phone in the past 30 seconds. Please try again when 30 secs have passed. Enter '0' to abort.')

 

Here are a few details regarding my setup and Portal/Gateway:

- Running 10.2.6 PanOS

- Running 6.1.0 and 6.0.7 GP Client

- Using OKTA Global Protect Radius Agent for authentication (Timeout set to 60sec and 1 retry)

- Generate Cookie Encrypt is running on Portal (using the same Cert as Gateway) Lifetime set for 24 hours.

- Accept Cookie Decrypt is running on Gateway (using the same Cert as Portal) Lifetime set for 24hrs.

 

I have tried opening a sev 1 panTAC case but unfortunately, no one from Support knows how to resolve this issue and currently users are unable to connect via GP VPN at the moment.

1 accepted solution

Accepted Solutions

L1 Bithead

This issue has been resolved. In my configuration, I was using an Authentication Sequence for the Gateway and Portal Configuration. The Authentication Sequence included an OKTA Radius Server at the top and a Local Database below that. Once I removed the Authentication Sequence from by Gateway and Portal Authentication Settings and converted it to the Authentication Profile which included my two OKTA Radius Servers, the issue went away. Based on my research, I assume you can not include non-LDAP or non-local Databases in an Authentication Sequence which is the reason for this failure. 

View solution in original post

1 REPLY 1

L1 Bithead

This issue has been resolved. In my configuration, I was using an Authentication Sequence for the Gateway and Portal Configuration. The Authentication Sequence included an OKTA Radius Server at the top and a Local Database below that. Once I removed the Authentication Sequence from by Gateway and Portal Authentication Settings and converted it to the Authentication Profile which included my two OKTA Radius Servers, the issue went away. Based on my research, I assume you can not include non-LDAP or non-local Databases in an Authentication Sequence which is the reason for this failure. 

  • 1 accepted solution
  • 1884 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!