Been using Radius auth to portal with auth override to gateway for years but seems to now be playing up... Gateway is requesting radius auth and ignoring override settings.
This is the same issue on both Windoze and IOS.
PA 3020 9.1.14
We have no custom checks, just Radius auth (which is working fine)
Many thanks in advance...
How long ago has the cert expired vs. your cookie lifetime? I would think signing a cookie with an expired cert should fail... it is no longer valid after all, but a cookie that was signed before the cert expired might still be valid until the cookie expires.
Look in the logs for the accepted/rejected cookie status. I am not running cookies to auth any longer but when I was the cookie status would show up in the description/error field. It was either in the System logs "( subtype eq auth )" or the GlobalProtect logs "( ( eventid eq gateway-prelogin ) or ( eventid eq gateway-auth ) )", I can't recall.
The certificate expired years ago, it just seems to use the keys for cookie encrypt/decrypt.
I have added a new cert and portal/gateway on one of the failing devices and still no good.
there are no errors in pa or gp logs. The log output for both is the same if you remove the option to accept cookies.. it just prompts for OTP. It seems to ignore the accept option but it shows as selected when you do show gateway…… on cli.
Thanks again for your help Adrian, that was one of the first things I looked into as had a similar issue years ago. We do use NTP and cli time check and dashboard show time is spot on….
I have logged a call with our palo support and they are also struggling for a reason/solution. I’m going to bounce one of the gateways tonight as been up for 135 days…. Clutching at straws but you never know, thanks again for your time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!