This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect with Duo MFA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect with Duo MFA

Satyak
L3 Networker

‎06-27-2023 11:46 AM

Hi Friends,

 

We have configured the duo mfa for global protect users.

We have configured all the requirements for the duo using the below mentioned link.

https://duo.com/docs/paloalto

 

But still the MFA is not working.

I have some logs related to this but

Can you please help me where we are missing or making a mistake.

 

Logs :

 

2023-06-12 13:32:04.800 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2459): Trying to authenticate (init auth): <profile: "DUO-Authentication-Profile", vsys: "vsys1", policy: "", username "rajeev"> ; timeout setting: 25 secs ; authd id: 7243124266353295669
2023-06-12 13:32:04.800 -0700 debug: _get_auth_prof_detail(pan_auth_util.c:1112): non-admin user thru Global Protect "rajeev" ; auth profile "DUO-Authentication-Profile" ; vsys "vsys1"
2023-06-12 13:32:04.800 -0700 debug: _get_authseq_profile(pan_auth_util.c:893): Auth profile/vsys (DUO-Authentication-Profile/vsys1) is NOT auth sequence
2023-06-12 13:32:04.800 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for DUO-Authentication-Profile-vsys1-mfa
2023-06-12 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1068): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: DUO-Authentication-Profile/vsys1)
2023-06-12 13:32:04.800 -0700 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1079): MFA configured, but bypassed for GP user ''. (prof/vsys: DUO-Authentication-Profile/vsys1)
2023-06-12 13:32:04.800 -0700 debug: _authenticate_initial(pan_auth_state_engine.c:2648): Keep original username, i.e., whatever end-user typed, "rajeev" in request->username
2023-06-12 13:32:04.801 -0700 debug: pan_auth_locklist_response_process(pan_auth_state_engine.c:4358): b_postauth_grpcheck=true, delay allow list check
2023-06-12 13:32:04.801 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1892): Authenticating user "rajeev" with <profile: "DUO-Authentication-Profile", vsys: "vsys1">
2023-06-12 13:32:04.801 -0700 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for DUO-Authentication-Profile-vsys1
2023-06-12 13:32:04.801 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: rajeev
2023-06-12 13:32:04.801 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:396): RADIUS request type: PAP
2023-06-12 13:32:30.407 -0700 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:263): timeout auth request (authd id=7243124266353295669, username=rajeev) since total elapsed sec 26 >= max allowed secs: 25
2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4554): auth status: auth timed out
2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4810): Auth FAILED for user "rajeev" thru <"DUO-Authentication-Profile", "vsys1">: remote server 192.168.10.198 of server profile "DUO-Service-Profile" is down, or in retry interval, or request timed out (elapsed time 26 secs, max allowed 25 secs)
2023-06-12 13:32:30.407 -0700 failed authentication for user 'rajeev'. Reason: Authentication request is timed out. auth profile 'DUO-Authentication-Profile', vsys 'vsys1', server profile 'DUO-Service-Profile', server address '192.168.10.198', auth protocol 'PAP', From: 49.14.159.62.
2023-06-12 13:32:30.407 -0700 debug: _log_auth_respone(pan_auth_server.c:311): Sent PAN_AUTH_FAILURE auth response for user 'rajeev' (exp_in_days=0 (-1 never; 0 within a day))(authd_id: 7243124266353295669)
2023-06-12 13:32:47.374 -0700 debug: cfgagent_opcmd_callback(pan_cfgagent.c:520): authd: cfg agent received op command from server
2023-06-12 13:32:47.374 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:555): received signal to execute for agent: authd
2023-06-12 13:32:47.374 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1057): Start executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:47.375 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:997): Got admin user "admin" last successful login time: 06/12/2023 11:18:58 ; number of failed attempts since last successful login: 0
2023-06-12 13:32:47.375 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1062): Return: "<last-successful-login-time>06/12/2023 11:18:58</last-successful-login-time><failed-attempts-since-last-successful-login>0</failed-attempts-since-last-successful-login>"
2023-06-12 13:32:47.375 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1063): Finish executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:49.841 -0700 debug: cfgagent_opcmd_callback(pan_cfgagent.c:520): authd: cfg agent received op command from server
2023-06-12 13:32:49.841 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:555): received signal to execute for agent: authd
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1057): Start executing cmd: "show_user_auth_stat_internal"
2023-06-12 13:32:49.841 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:997): Got admin user "admin" last successful login time: 06/12/2023 11:18:58 ; number of failed attempts since last successful login: 0
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1062): Return: "<last-successful-login-time>06/12/2023 11:18:58</last-successful-login-time><failed-attempts-since-last-successful-login>0</failed-attempts-since-last-successful-login>"
2023-06-12 13:32:49.841 -0700 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1063): Finish executing cmd: "show_user_auth_stat_internal"
100%

 

Thanks and Regards

Satya Kalyan.

0 Likes Likes
5 REPLIES 5

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎06-28-2023 06:44 AM

Hi @Satyak ,

I would say the following seems the cause:

2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4810): Auth FAILED for user "rajeev" thru <"DUO-Authentication-Profile", "vsys1">: remote server 192.168.10.198 of server profile "DUO-Service-Profile" is down, or in retry interval, or request timed out (elapsed time 26 secs, max allowed 25 secs)

It looks like your firewall doesn't have access to the RADIUS proxy, or the proxy is not configured properly and it doesn't reply.

By default PAN FW will use mgmt interface to reach radius server (if you haven't configure service route for it)

- Confirm network connectivity between FW and radius proxy

- Use packet capture to confirm server receive traffic from FW. Is it replying?

Arnesh
L3 Networker

‎06-28-2023 06:47 AM

Hi @Satyak ,

From the logs, the firewall does not receive the response from Radius until timeout happens.
2023-06-12 13:32:30.407 -0700 failed authentication for user 'rajeev'. Reason: Authentication request is timed out.  <<<<<

 

I have seen such issues. Please make sure of the following:

1. The Radius server uses PAP, as you have that configured in the Radius Server profile.
2. Check the connectivity between the Radius and firewall management. From management interface, try pinging the Radius server IP.

3. If the above seem to be fine, maybe try increasing the timeout under Device > Radius > <Radius Server Profile>

 

Please let me know how it goes.

 

Regards,

Arnesh

 

 

Satyak
L3 Networker
In response to aleksandar.astardzhiev

‎06-28-2023 09:28 AM

Hi Aleksaandar,

 

There is network connectivity from the firewall to the RADIUS proxy i have checked it by pinging it from the firewall ip to the duo server ip it was pinging 

Can you please help me with what filters i need to do a packet capture I mean what should be the source ip and what should be the destination ip

0 Likes Likes

Satyak
L3 Networker
In response to Arnesh

‎06-28-2023 09:30 AM

Hi Arnesh,

 

There is reachability from the firewall to the radius server.

I have tried it by pinging it from the firewall management ip to radius server ip.

 

Regards,

Satya Kalyan

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎06-28-2023 11:58 AM

Hello @Satyak ,

 

As @aleksandar.astardzhiev and @Arnesh mentioned, the request is timing out which means the NGFW is not receiving a response from the RADIUS server.  The link you posted details how to configure RADIUS MFA with the Duo Authentication Proxy (DAP).

 

You should troubleshoot on the DAP now.

 

  1. Launch the Duo Authentication Proxy Manager and verify the proxy is running.
  2. Click the Validate button and verify you have no errors in the right column.
  3. Make sure the client IP, client secret, and port are configured under the [radius_server_auto] section.
  4. Open the C:\Program Files\Duo Security Authentication Proxy\log\authproxy.log file and scroll to the bottom and verify you have received the RADIUS request from the NGFW.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1952 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks