- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-28-2021 08:22 AM
We need GlobalProtect setup with DUO via RADIUS and we need the user to have to manually re-auth after 11 hours. We have struggling to get this to work. Login Lifetime or Cookie Auth Expiration both automatically re-auth the user even when GlobalProtect is set to On-Demand and set to not remember username and password. (The biggest issue with the auto re-auth is random DUO prompts on user devices that they do not expect and eventual lockouts). We have verified SSO is off and have tried with and without authentication cookies.
Please someone advise on recommended settings for what we need.
Or...confirm for me that I am hitting a bug lol. GlobalProtect
12-28-2021 03:41 PM
We are doing the same authentication, external DUO via radius, and had the same problem with phantom DUO requests. Eventually we came up with a work around, but with a few caveats.
1) GP Portal -> Authentication:
Setup your DUO authentication profile
2) GP Portal -> Agent -> [profile] -> Authentication:
Create an Authentication Override, select "Generate cookie for auth" (do not accept a cookie for auth), use a self-gen cert.
3) GP Portal -> Agent -> [profile] -> Authentication:
Under Components that Require Dynamic Passwords, check "Portal", "External Gateway - manual", and "External Gateway - auto".
4) GP Portal -> Agent -> [profile] -> App:
Turn off Use Single Sign-On.
5) GP Gateway -> Authentication:
Setup your DUO authentication profile.
6) GP Gateway -> Agent -> Timeout Settings:
Set a shorter "Login Lifetim"e interval for the gateway than the portal "GP App Config Refresh Interval" (under GP Portal -> Agent -> [profile] -> App).
7) GP Gateway -> Agent -> Client settings -> [profile] -> Authentication Override:
Select "Accept cookie for auth" (not generate), set a very short cookie lifetime (a few minutes), and select the cert you generated the cookie from on the portal.
So when you first connect, the GP client authenticates against the portal and get a DUO push. On successful auth the client gets pushed a cookie and immediately connects to the gateway, which bypasses the second DUO request there. When the gateway lifetime expires the client tries to reconnect automatically with the cookie and is rejected as expired. The client then prompts for user/pass do to the Dynamic Passwords override and waits for user input. You can re-enter your creds, get a DUO push from the gateway, and reconnect. When the portal refresh expires the client tries to reconnect to the portal automatically with the cookie and is rejected. As Dynamic Passwords is overriding, the portal will then prompt for user/pass IF the gateway is not already connected AND the gateway refresh has not already prompted.
Now the goofiness... Perhaps the biggest problem is that the portal can no longer refresh the GP client config. You will see the GP client try to automatically connect in the logs, but it is always rejected. In order to update the config you have to manually disconnect from the portal (disconnect or select a different portal if allowed) or reboot the PC. For users that always leave their PCs on/lock the PC and walk away with the VPN connected, this can create a problem with pushing portal/gateway config updates. Additionally, sometimes the user will briefly see the portal user/pass prompt after you have entered the gateway user/pass and are awaiting the DUO push to confirm. If you are fast and re-enter creds in that second prompt, thinking you mistyped the first, you will end up getting logged back out of the gateway and kicked all the way back to a new portal login.
It's working for us to have a single DUO sign-on and not have phantom DUO requests on timeout, but its not perfect. Currently, I'm trying to get certificate authentication working on the portal, and have DUO just on the gateway, so the client could auto refresh configs at any time, but so far I can't seem to get the client to supply the cert....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!