- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-16-2024 02:32 PM - edited 10-16-2024 02:33 PM
Currently have GlobalProtect configured as such:
Portal:
LDAP Auth Profile (Active Directory)
Gateway:
RADIUS Auth Profile (DUO)
The desire is for users to login with username/password and when successful, be prompted for DUO approval. If a user disconnects, we don't want username to be cached and we want them to be prompted for credentials everytime (so no cookie configurations).
The issue/behavior experienced is the user is prompted for username/password twice (even when entered correctly on first prompt) and then once for DUO. Everything works well, but just need to know why they are being prompted for username password twice, again, with the expected behavior to not store any credentials or username. Any thoughts/ideas (happens for Windows and Mac clients) and thanks in advance?
App Version: 6.2.1-132
10-16-2024 03:56 PM
Hi @andreking ,
That is strange. I had almost the exact setup as you for a long time with Duo RADIUS on the portal and LDAP on the gateway. It worked fine. I have also configured Duo RADIUS for both portal and gateway and eliminated the double Duo prompt by using authentication cookies. If you set the portal to generate cookie only (and the gateway to accept only), the portal will always prompt for creds.
As you mentioned, the portal does send the creds to the gateway (see URL under Cause). Entering them twice is not expected. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQXCA0
I assume that your Duo Authentication Proxy (DAP) is pointed to the same LDAP as your portal, and that the passwords are the same. So, you should not be running into the problem above. The logs on the DAP could give you more insight into what is happening.
Although Duo says to configure the RADIUS timeout to 30 seconds, 60 seconds has worked best for me. That was recommended bu Duo TAC. https://duo.com/docs/paloalto#configure-your-palo-alto-globalprotect-gateway
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!