09-28-2022 02:52 AM
Been using Radius auth to portal with auth override to gateway for years but seems to now be playing up... Gateway is requesting radius auth and ignoring override settings.
This is the same issue on both Windoze and IOS.
PA 3020 9.1.14
We have no custom checks, just Radius auth (which is working fine)
Many thanks in advance...
09-29-2022 12:56 PM
Override using a cookie signed on the Portal and accepted on the Gateway? Has the certificate used to encrypt/decrypt the cookie possibly expired?
09-29-2022 01:05 PM
Hi Adrian, many thanks for your reply, yes it has expired.. but it has expired on the portal and 6 gateways yet one of the gateways is still accepting the override. This has same settings as all the other 5 gateways that are failing…
09-29-2022 01:28 PM
How long ago has the cert expired vs. your cookie lifetime? I would think signing a cookie with an expired cert should fail... it is no longer valid after all, but a cookie that was signed before the cert expired might still be valid until the cookie expires.
Look in the logs for the accepted/rejected cookie status. I am not running cookies to auth any longer but when I was the cookie status would show up in the description/error field. It was either in the System logs "( subtype eq auth )" or the GlobalProtect logs "( ( eventid eq gateway-prelogin ) or ( eventid eq gateway-auth ) )", I can't recall.
09-30-2022 12:33 AM
The certificate expired years ago, it just seems to use the keys for cookie encrypt/decrypt.
I have added a new cert and portal/gateway on one of the failing devices and still no good.
there are no errors in pa or gp logs. The log output for both is the same if you remove the option to accept cookies.. it just prompts for OTP. It seems to ignore the accept option but it shows as selected when you do show gateway…… on cli.
09-30-2022 09:31 AM
The only other thing I can think of at the moment is that the firewall and/or client clocks are way out. Are you using NTP/etc. to keep clocks synced to a common time?
09-30-2022 09:50 AM
Thanks again for your help Adrian, that was one of the first things I looked into as had a similar issue years ago. We do use NTP and cli time check and dashboard show time is spot on….
I have logged a call with our palo support and they are also struggling for a reason/solution. I’m going to bounce one of the gateways tonight as been up for 135 days…. Clutching at straws but you never know, thanks again for your time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
